Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3420
  • C:\Windows\system32\GamePanel.exe
    C:\Windows\system32\GamePanel.exe
    1⤵
      PID:3984
    • C:\Users\Admin\AppData\Local\ujmuai\GamePanel.exe
      C:\Users\Admin\AppData\Local\ujmuai\GamePanel.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2536
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:1432
      • C:\Users\Admin\AppData\Local\rdDuS4\dccw.exe
        C:\Users\Admin\AppData\Local\rdDuS4\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3264
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:412
        • C:\Users\Admin\AppData\Local\gZKSNb1\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\gZKSNb1\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4324

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\gZKSNb1\FXSCOVER.exe
          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

          Download Submit

        • C:\Users\Admin\AppData\Local\gZKSNb1\MFC42u.dll
          Filesize

          1.3MB

          MD5

          de11109c8a1c22c183ac59d770f0b0ad

          SHA1

          77d65a86c05bb71fa5e130eb32d76c02931f98bb

          SHA256

          eb8765713566e49070ddfda377221161f74f293b34c9f94b4cc4c9a931b9c2a8

          SHA512

          d84efa9d559b2e440f6fe8117c4ef1060e390b0e8055ce85a2b2fbf802bf97bff2215a5b26238264bb2a9547870c585643af4adfe41bff0335f3b12a0b17c265

          Download Submit

        • C:\Users\Admin\AppData\Local\rdDuS4\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\rdDuS4\mscms.dll
          Filesize

          1.2MB

          MD5

          2b8b8dc0cb6e4c02cac7717c65468393

          SHA1

          7cf806555389112d7b20c0358db5e0c2a4c7651b

          SHA256

          179c86a95d21a1395ded36c6e01be3f9666d9348658ec3ff7be744144e5f2f7f

          SHA512

          2de3108ebb0622d801e0029bc7ae3ee71a269dafc884923ff0bb3d25fe79b99fd95a8caef7bc5f3402bec4e8df5456c86b4a7cf3c448a3aab8057510abf14d33

          Download Submit

        • C:\Users\Admin\AppData\Local\ujmuai\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\ujmuai\UxTheme.dll
          Filesize

          1.2MB

          MD5

          1af315503abfc642933cb67bd963578c

          SHA1

          91e8dd45bee541fbcadaa8bb4b7394423ecedc3c

          SHA256

          b9d3304733a40c0539163e029b5bab0aa2701513b2a129fea9eb9b2716e21e1f

          SHA512

          0a0787dd6f741dd20dad5b6b56d98d7b0446f2ac5fb0432d84149322730dcef6f74d4f38beb59ee9fb9093eb5238048a682eae0aea36c2444a070db4e3be3102

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
          Filesize

          1KB

          MD5

          80e3dc85016015707174d0c296b4220e

          SHA1

          922175135970d18efbf07fa813f7201d76f68cb1

          SHA256

          cf8f4069d0242af49a663931820aab37f15fad9d6338df19ba72d66916566683

          SHA512

          058638928f60d433a6c8e54b89c16423a8ad3397c373e89fc325fd75f40faecacaac206e4891f1a7494a8df480b53aa0ab851326723bcb927eff070f806f3ae5

          Download Submit

        • memory/2536-46-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2536-52-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2536-49-0x000001F17DED0000-0x000001F17DED7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3264-66-0x0000026B5C410000-0x0000026B5C417000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3264-63-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3264-69-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3420-0-0x0000022C63150000-0x0000022C63157000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3420-39-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3420-1-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-36-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-29-0x00000000007A0000-0x00000000007A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-30-0x00007FFE89770000-0x00007FFE89780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3464-4-0x0000000002910000-0x0000000002911000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-5-0x00007FFE8875A000-0x00007FFE8875B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4324-85-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4324-80-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download