Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 02:31

General

  • Target

    b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll

  • Size

    184KB

  • MD5

    8c63bc0d2a4eab2f8fb559fd45da5350

  • SHA1

    c01afa558e5337e755da5aef10112a7cf2c4b8e9

  • SHA256

    b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6

  • SHA512

    595fd36e712b701ebced238806487fe3f96944ec1c7c4702946a0a8e2bddf90200832928ade29a2c313488b324c957b83dce3138d55f21d21888b62ea7231de9

  • SSDEEP

    3072:VgkQz1PuOprc+kq6VNOe3qbarVEpZlcbBacS9nOdgWdA4l:0PFkq6zOe5ilSanOJd

Malware Config

Extracted

Family

dridex

Botnet

22201

C2

103.75.201.2:443

158.223.1.108:6225

165.22.28.242:4664

rc4.plain
1
KaFOTWRMoR1YwIux5lF0nBwfe5be1tbuvd
rc4.plain
1
Ra39vlO6cyQZ86AReFzbyefW9iAl9GnOxzuP11b53gsERGAHgaGWnMp2ms0CeVMp9c67YT8V

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Loader 1 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 220
        3⤵
        • Program crash
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/964-0-0x00000000001A0000-0x00000000001A6000-memory.dmp

    Filesize

    24KB

  • memory/964-1-0x0000000075160000-0x0000000075190000-memory.dmp

    Filesize

    192KB

  • memory/964-4-0x00000000001A0000-0x00000000001A6000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.