dridex | 25b16667b3194dd3d15525eb88f274a305786de7e39fd789ff3da514379f7dcb

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 21:53

Target

e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll
Size

188KB
MD5

e5f13c6bb1109d1197126921de074041
SHA1

6c21987c6231db7514ce3b4c93e2ca3df76c4902
SHA256

25b16667b3194dd3d15525eb88f274a305786de7e39fd789ff3da514379f7dcb
SHA512

203104e4a72ac6848e60c358896871ae66e35dc30dc14c7e9a399972749e062f9ebddb2c26d24a09b2e90f9a20808f49ea2cf1f6e91e7dc69e3c2de7c9a9b148
SSDEEP

3072:gA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAolo:gzIqATVfQeV2FZalKq6jtGJWuTmd

Score

10^/10

Family

dridex

Botnet

22201

103.82.248.59:443

54.39.98.141:6602

103.109.247.8:10443

rc4.plain

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

Processes:

resource	yara_rule
behavioral2/memory/4928-0-0x0000000074A00000-0x0000000074A30000-memory.dmp	dridex_ldr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4428 4928 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4428	4928	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2376 wrote to memory of 4928	2376	rundll32.exe	rundll32.exe
PID 2376 wrote to memory of 4928	2376	rundll32.exe	rundll32.exe
PID 2376 wrote to memory of 4928	2376	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5f13c6bb1109d1197126921de074041_JaffaCakes118.dll,#1
2⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 692
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4928 -ip 4928
1⤵
PID:2996

memory/4928-0-0x0000000074A00000-0x0000000074A30000-memory.dmp

Filesize
192KB

Download
memory/4928-1-0x0000000000A50000-0x0000000000A56000-memory.dmp

Filesize
24KB

Download