Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

1

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4044
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:1488
    • C:\Users\Admin\AppData\Local\Trdxzmfuf\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\Trdxzmfuf\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:624
    • C:\Windows\system32\MoUsoCoreWorker.exe
      C:\Windows\system32\MoUsoCoreWorker.exe
      1⤵
        PID:4556
      • C:\Users\Admin\AppData\Local\UutdpO4I\MoUsoCoreWorker.exe
        C:\Users\Admin\AppData\Local\UutdpO4I\MoUsoCoreWorker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2004
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:636
        • C:\Users\Admin\AppData\Local\NpORxIYw5\perfmon.exe
          C:\Users\Admin\AppData\Local\NpORxIYw5\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NpORxIYw5\credui.dll
          Filesize

          1.2MB

          MD5

          ee6949bde7b37921ffdb5745a5b2f77d

          SHA1

          726018b70977a57480db37966f6469268714260a

          SHA256

          5ba918f95e71a70928b63329fdf4f9df97b9fd8bdb15679f8344faeba097a6c0

          SHA512

          a8486776c956ae00e2580f69619ad34eaf44c8818a2193d76f89c400695016c231130af02fbaf776879d0f8c501ecaca5535c787dae329e7952df99d08f5b050

          Download Submit

        • C:\Users\Admin\AppData\Local\NpORxIYw5\perfmon.exe
          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          Download Submit

        • C:\Users\Admin\AppData\Local\Trdxzmfuf\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          871f54674a5f184d6819142f096df9a3

          SHA1

          b36af93fb47ae742ca9563b414ceb6e4d54cc60a

          SHA256

          2c3018181ab364f2214385d4047e61474ef815a9019237bca2d5e5500531a7a3

          SHA512

          52a9429270a5dd2f1eb30b8b385e20b85f53701ecc15159311f3867971329fc035d8139c4758423fbc6369af7b943538e7fb116f456982bce7bac489c016c439

          Download Submit

        • C:\Users\Admin\AppData\Local\Trdxzmfuf\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

          Download Submit

        • C:\Users\Admin\AppData\Local\UutdpO4I\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\UutdpO4I\XmlLite.dll
          Filesize

          1.2MB

          MD5

          90f1554a5e5cb4bc7c0b67920d773388

          SHA1

          172865fb1752da3d44a062812e7393cebec158a0

          SHA256

          bc368dfcc96d113046dc8b71848b85a74a15477ff1d44717b93fc3224a5519db

          SHA512

          86b7c5d09ba78ff7d65c9e3ab2c27874247bd7191df264e72176aa97a6c72273bcd2c185487d19dacd350462c511400d1d0cb9a7cc119b7d16b0cb3a5a2a0207

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Puokv.lnk
          Filesize

          967B

          MD5

          9227ecf3214e09c7e388a43eb02a3c37

          SHA1

          08a323871c9b8878bff7b62ce0dd8d67425c9123

          SHA256

          f1ffb184c61dd3323bbbd38a4b8b6e14528b732416a20c52375ae33464fcdc87

          SHA512

          2c935a51f18a931246e30c55260ed6c87c6c7212687647185fa18cf086aee1dd6a7dd8f032f8698913ee70cb1b65e78596134142db4b19e2f309ea3fef677b07

          Download Submit

        • memory/624-49-0x00000146DCF50000-0x00000146DCF57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/624-46-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/624-52-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2004-69-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2004-63-0x00000224002B0000-0x00000224002B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2044-83-0x00000152EF380000-0x00000152EF387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2044-86-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-29-0x00000000008D0000-0x00000000008D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3532-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-36-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-6-0x00007FF977DFA000-0x00007FF977DFB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3532-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-4-0x0000000002850000-0x0000000002851000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3532-30-0x00007FF978030000-0x00007FF978040000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3532-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3532-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4044-0-0x000001597EC90000-0x000001597EC97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4044-39-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4044-1-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download