Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3428
  • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    1⤵
      PID:5112
    • C:\Users\Admin\AppData\Local\JtoLE94d\ApplySettingsTemplateCatalog.exe
      C:\Users\Admin\AppData\Local\JtoLE94d\ApplySettingsTemplateCatalog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1484
    • C:\Windows\system32\consent.exe
      C:\Windows\system32\consent.exe
      1⤵
        PID:2504
      • C:\Users\Admin\AppData\Local\G51n\consent.exe
        C:\Users\Admin\AppData\Local\G51n\consent.exe
        1⤵
        • Executes dropped EXE
        PID:3472
      • C:\Windows\system32\rdpshell.exe
        C:\Windows\system32\rdpshell.exe
        1⤵
          PID:2544
        • C:\Users\Admin\AppData\Local\ARZ\rdpshell.exe
          C:\Users\Admin\AppData\Local\ARZ\rdpshell.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5064
        • C:\Windows\system32\DevicePairingWizard.exe
          C:\Windows\system32\DevicePairingWizard.exe
          1⤵
            PID:4284
          • C:\Users\Admin\AppData\Local\d2h\DevicePairingWizard.exe
            C:\Users\Admin\AppData\Local\d2h\DevicePairingWizard.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2000

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\ARZ\WTSAPI32.dll
            Filesize

            1.2MB

            MD5

            10f9c2a121227cc52e0201cce61f93ab

            SHA1

            871578640cb527ca09af92a253d937b165c2be5a

            SHA256

            a70a6aabe55532ed7ecf78c6253d1c10d099ad1dcd199d163cab4c9157a132e2

            SHA512

            effe659012a6964aa7b7f89082ad55bb04f1ec3ca5130426b0bc86b940a544c15d959fe7d42bcab790420ab1c9b1ab725f99973fe029252f3b56e693e0343635

            Download Submit

          • C:\Users\Admin\AppData\Local\ARZ\rdpshell.exe
            Filesize

            468KB

            MD5

            428066713f225bb8431340fa670671d4

            SHA1

            47f6878ff33317c3fc09c494df729a463bda174c

            SHA256

            da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

            SHA512

            292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

            Download Submit

          • C:\Users\Admin\AppData\Local\G51n\consent.exe
            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

            Download Submit

          • C:\Users\Admin\AppData\Local\JtoLE94d\ACTIVEDS.dll
            Filesize

            1.2MB

            MD5

            6681324c7d4c9a50831404daaf95f7df

            SHA1

            29ce3eb5c7e0eaa9f4da9fd6d9f43115f69acd5a

            SHA256

            d6f6397898958f23fe1666e6f4f068d701c2bb82d3d41250c70d3e7b05fdc949

            SHA512

            8f22fb26de038af4be7c4cbe4c0806e106e7fcdb3a9a3540d1c996794db74f6b7c0a2bc447dfd789d8bbe8817815442b32b86fd9426b97f1bb0e9c7a2a4386d0

            Download Submit

          • C:\Users\Admin\AppData\Local\JtoLE94d\ApplySettingsTemplateCatalog.exe
            Filesize

            1.1MB

            MD5

            13af41b1c1c53c7360cd582a82ec2093

            SHA1

            7425f893d1245e351483ab4a20a5f59d114df4e1

            SHA256

            a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

            SHA512

            c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

            Download Submit

          • C:\Users\Admin\AppData\Local\d2h\DevicePairingWizard.exe
            Filesize

            93KB

            MD5

            d0e40a5a0c7dad2d6e5040d7fbc37533

            SHA1

            b0eabbd37a97a1abcd90bd56394f5c45585699eb

            SHA256

            2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

            SHA512

            1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

            Download Submit

          • C:\Users\Admin\AppData\Local\d2h\MFC42u.dll
            Filesize

            1.3MB

            MD5

            b5a4494e1fb36175875cc3aa16153f22

            SHA1

            e88952374c863daf5753a2649f271521269304a6

            SHA256

            f17b4da6e061135edc841215bf56fed61757d24e76f92f4ebfad4746fd9df5d0

            SHA512

            ae17f0f3777a420841ccccd674465de98d7fdf90149b7ebb8c9546469b3287d793b43f912b2e51493d32d38facc854d5480dae12179f826e86135cb9cac6e76b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
            Filesize

            1KB

            MD5

            8720176795ad952e8df511160ef2ba50

            SHA1

            a8c9f7e1518e8489e16edd241de2ac81b8b1fc45

            SHA256

            b16c649a53ae4a496abf29b521fa7b4cc23b72233e2b804d4b60c7bba8ef7928

            SHA512

            e5409b86f2520108f96e87ca997a485d12a8690cc35666f712fa93f53c202b0cd45373bf115b834398795df6c3367bc2f7254d0418e31452aac5b30dc995b629

            Download Submit

          • memory/1484-46-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1484-48-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1484-53-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1484-47-0x000001FF1B890000-0x000001FF1B897000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2000-97-0x0000000140000000-0x000000014014A000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2000-90-0x0000000140000000-0x000000014014A000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2000-91-0x0000000140000000-0x000000014014A000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3428-3-0x000001F3531D0000-0x000001F3531D7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3428-39-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3428-1-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-14-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-35-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-26-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-7-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-8-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-9-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-12-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-11-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-4-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3476-10-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-16-0x00000000026F0000-0x00000000026F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3476-13-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-15-0x00007FFAF276A000-0x00007FFAF276B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3476-6-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3476-38-0x00007FFAF3BF0000-0x00007FFAF3C00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3476-17-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/5064-72-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/5064-79-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/5064-73-0x00000183C6550000-0x00000183C6557000-memory.dmp

            Filesize

            28KB

            Download