Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

Stealers/M..._2.exe

windows7-x64

9

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

12-09-2024 02:23

240912-cvfznswere 10

04-09-2024 00:09

240904-afvheascla 10

03-09-2024 18:57

240903-xl8csavfrb 10

03-09-2024 18:12

240903-ws828asgnm 10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stealers/Dridex.dll

  • Size

    1.2MB

  • MD5

    304109f9a5c3726818b4c3668fdb71fd

  • SHA1

    2eb804e205d15d314e7f67d503940f69f5dc2ef8

  • SHA256

    af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

  • SHA512

    cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2348
  • C:\Windows\system32\ComputerDefaults.exe
    C:\Windows\system32\ComputerDefaults.exe
    1⤵
      PID:2124
    • C:\Users\Admin\AppData\Local\ut4z9\ComputerDefaults.exe
      C:\Users\Admin\AppData\Local\ut4z9\ComputerDefaults.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2976
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:2332
      • C:\Users\Admin\AppData\Local\lxU\psr.exe
        C:\Users\Admin\AppData\Local\lxU\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2468
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:2904
        • C:\Users\Admin\AppData\Local\ExOw0y\wusa.exe
          C:\Users\Admin\AppData\Local\ExOw0y\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ExOw0y\wusa.exe
          Filesize

          300KB

          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

          Download Submit

        • C:\Users\Admin\AppData\Local\ut4z9\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          6edada673a520bca5afda93fa13b21f6

          SHA1

          c7257107dbac76503f125da81ca21f46005ddfa2

          SHA256

          88576670b8a6ba44129a12558bb844e30410ef249d6a0b7362505412e6d62163

          SHA512

          3156625061a8a250e14b68841f3f451996b74fe3032e108bf25054c62fdcd7f27615e410ede157c5d7174ae6dddb5b9321b03886b73fa77afcb4db350bdee716

          Download Submit

        • \Users\Admin\AppData\Local\ExOw0y\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          b14f602e83ceab049f0c43cef8e7abf9

          SHA1

          99c258640debaab9991c392c8045f27e6865ec8c

          SHA256

          aca5a8d4482e05506563814c6dd9809df04443f92adbbd473289c7cafbbbc006

          SHA512

          c7aa6e4a2645ca067bdccb036a7095f4d7c4f34523f3c468691040fcdb0f771e0fd45d9c9f1d39aa0d2079cd72448cb6023a33db4acb38ec1b9783a91168a1d4

          Download Submit

        • \Users\Admin\AppData\Local\lxU\XmlLite.dll
          Filesize

          1.2MB

          MD5

          cafb7387d3699a5332773c86f1e4bd01

          SHA1

          b241c3eff348b0e8b14200a1d13a45deda93c474

          SHA256

          894ddf797a7867cb7694c78d0c894e3b80a41e7a5c5725393cd740ee0fd97309

          SHA512

          e0a466df311071b9ef740cc1274c0ca7ea50a4002cd6b9bc9c1b9a386904d4875361b92e76a75ec88d620a24ba75241c92dcaaa3109f810ae446e9d448a2b310

          Download Submit

        • \Users\Admin\AppData\Local\lxU\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit

        • \Users\Admin\AppData\Local\ut4z9\appwiz.cpl
          Filesize

          1.2MB

          MD5

          63ed40ad83a2df1cabbb3a2a1eb2d051

          SHA1

          9b809c00850b992843970f31054fb8e03447b803

          SHA256

          642a2aca3cc377c96cb1a7382661807be0e4eebe2cfbc7a3f191a367953b67d7

          SHA512

          776ef5ca634e3455503e4bb04855ffa116a32f5ed18fd06bb589f824d733f6704c9df0d1487c13d294c5e83d6e928a9588623d7e32554750bbd7ee1cefd9909a

          Download Submit

        • memory/1196-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-37-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-30-0x0000000077200000-0x0000000077202000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-29-0x0000000077071000-0x0000000077072000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-26-0x0000000002A40000-0x0000000002A47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-38-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-47-0x0000000076E66000-0x0000000076E67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-4-0x0000000076E66000-0x0000000076E67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2348-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2348-46-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2348-1-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2468-77-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2468-72-0x0000000000720000-0x0000000000727000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2924-93-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2924-98-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2976-56-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2976-60-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2976-55-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download