Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:6008
  • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    1⤵
      PID:4956
    • C:\Users\Admin\AppData\Local\w2CE\ApplySettingsTemplateCatalog.exe
      C:\Users\Admin\AppData\Local\w2CE\ApplySettingsTemplateCatalog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4408
    • C:\Windows\system32\wlrmdr.exe
      C:\Windows\system32\wlrmdr.exe
      1⤵
        PID:3392
      • C:\Users\Admin\AppData\Local\inMa0\wlrmdr.exe
        C:\Users\Admin\AppData\Local\inMa0\wlrmdr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2812
      • C:\Windows\system32\msra.exe
        C:\Windows\system32\msra.exe
        1⤵
          PID:2500
        • C:\Users\Admin\AppData\Local\j3yZC\msra.exe
          C:\Users\Admin\AppData\Local\j3yZC\msra.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:560

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\inMa0\DUI70.dll
          Filesize

          1.5MB

          MD5

          d5fc775a8f21df85c56ec185ed82cc98

          SHA1

          4102f03fa0e5f4cc29f48bc81bc32b6e2bb6b5bc

          SHA256

          cabfcd81637aed3fd67f63c92e379e23e05062306dac1e2253aca8dde7d6fb2f

          SHA512

          00979ac3cc5ea0a06f7b8234b0246103c04bc86a876ea097b069137fe7ab3a72ec8bd8b9394921d78a73562e8b0e5e292e393ea61fbdd0a654b90e5499f6f8cb

          Download Submit

        • C:\Users\Admin\AppData\Local\inMa0\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Local\j3yZC\NDFAPI.DLL
          Filesize

          1.2MB

          MD5

          773357e3b2cc5afed7e25d1570831c17

          SHA1

          57f63fadd713c0af56e768d57f09c94f2a928f87

          SHA256

          17baf79bdddc0be3016e94b7c48f928f5e0cdfd52b61d1013b94d3093f06d3e0

          SHA512

          b51eba363a05d09d9dff979abf353b3488f8baaca740281542977027428192608c84b97c678baabed564858db1d94bf9a0422878ffd7ee43443aecdba922f46a

          Download Submit

        • C:\Users\Admin\AppData\Local\j3yZC\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\w2CE\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          c05f593e91b1a598e26754ffa0c31923

          SHA1

          493d07fe1bc7bef66aef847a36baadd97fbe91e5

          SHA256

          8ce62ea4f1f45b429b367401cd127f78812c050f00ad50a87e78dcc22ee25662

          SHA512

          a83c88e82b125a1638b77a106c67a8f265e8cc0c02081419f6ee1cba23597cc5475881b39ed92b4aad7dd39f8d513cb9818d15b03aff335ae0ff1df0aa3f7b95

          Download Submit

        • C:\Users\Admin\AppData\Local\w2CE\ApplySettingsTemplateCatalog.exe
          Filesize

          1.1MB

          MD5

          13af41b1c1c53c7360cd582a82ec2093

          SHA1

          7425f893d1245e351483ab4a20a5f59d114df4e1

          SHA256

          a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

          SHA512

          c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk
          Filesize

          1KB

          MD5

          67e6692c6358cb19cf075e44d56086da

          SHA1

          44509a278a73368a18777dd145b1a0a49fb1e3bd

          SHA256

          b1ea5f51ceeeafb728a763c86cca04d76ac65430b7c87ea88e73c31cd91455e7

          SHA512

          b597680ee17fb1104ce8235088713c8b4b3e627aa4a8aac29ccf331de4597dc6d58ee1896c925a170cc6e1e6b090e51661122a83fe0862e7793a934da2248fb8

          Download Submit

        • memory/560-86-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/560-80-0x000001D984290000-0x000001D984297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2812-69-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2812-64-0x0000000140000000-0x0000000140189000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2812-63-0x000002782DF00000-0x000002782DF07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3568-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-6-0x00007FFAAEACA000-0x00007FFAAEACB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3568-29-0x00007FFAAFF70000-0x00007FFAAFF80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3568-4-0x00000000012D0000-0x00000000012D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3568-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-28-0x0000000001260000-0x0000000001267000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3568-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3568-36-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4408-52-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4408-47-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4408-46-0x000002A2143A0000-0x000002A2143A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/6008-0-0x000001E5F56A0000-0x000001E5F56A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/6008-39-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/6008-2-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download