dridex | db76e9aef5769f4d7d4ca37b2f0160a8729aacc8fafae46190d58b99b32b1dff

General

Target

db76e9aef5769f4d7d4ca37b2f0160a8729aacc8fafae46190d58b99b32b1dff.dll
Size

676KB
MD5

9c45751dda6ab4ac264d1295ab158efa
SHA1

59b727fd59931da358622c7992fc4b9f9d20e295
SHA256

db76e9aef5769f4d7d4ca37b2f0160a8729aacc8fafae46190d58b99b32b1dff
SHA512

155f17dbb814e0cf27c87c3c059a9e5c70f17f3888c8bf70a9775655409a504db84a455f50fa2de52bbec5b962f2a2b9f2ada52012933a05380128d3c36e0652
SSDEEP

6144:q34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:qIKp/UWCZdCDh2IZDwAFRpR6Au

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1140-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2644-0-0x000007FEF7900000-0x000007FEF79A9000-memory.dmp	dridex_payload
behavioral1/memory/1140-19-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1140-26-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1140-37-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/1140-39-0x0000000140000000-0x00000001400A9000-memory.dmp	dridex_payload
behavioral1/memory/2644-46-0x000007FEF7900000-0x000007FEF79A9000-memory.dmp	dridex_payload
behavioral1/memory/2764-55-0x000007FEF79B0000-0x000007FEF7A5A000-memory.dmp	dridex_payload
behavioral1/memory/2764-60-0x000007FEF79B0000-0x000007FEF7A5A000-memory.dmp	dridex_payload
behavioral1/memory/2632-73-0x000007FEF70D0000-0x000007FEF717A000-memory.dmp	dridex_payload
behavioral1/memory/2632-77-0x000007FEF70D0000-0x000007FEF717A000-memory.dmp	dridex_payload
behavioral1/memory/1564-89-0x000007FEF70D0000-0x000007FEF7180000-memory.dmp	dridex_payload
behavioral1/memory/1564-93-0x000007FEF70D0000-0x000007FEF7180000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpshell.exeEhStorAuthn.exeFXSCOVER.exe

pid process

2764 rdpshell.exe
2632 EhStorAuthn.exe
1564 FXSCOVER.exe
Loads dropped DLL 7 IoCs

Processes:

rdpshell.exeEhStorAuthn.exeFXSCOVER.exe

pid process

1140
2764 rdpshell.exe
1140
2632 EhStorAuthn.exe
1140
1564 FXSCOVER.exe
1140

pid	process
2764	rdpshell.exe
2632	EhStorAuthn.exe
1564	FXSCOVER.exe

pid	process
1140
2764	rdpshell.exe
1140
2632	EhStorAuthn.exe
1140
1564	FXSCOVER.exe
1140

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\W4LwfiHL7j\\EhStorAuthn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exeEhStorAuthn.exeFXSCOVER.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpshell.exe

pid	process
2644	rundll32.exe
2644	rundll32.exe
2644	rundll32.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
2764	rdpshell.exe
2764	rdpshell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1140 wrote to memory of 2760	1140	rdpshell.exe
PID 1140 wrote to memory of 2760	1140	rdpshell.exe
PID 1140 wrote to memory of 2760	1140	rdpshell.exe
PID 1140 wrote to memory of 2764	1140	rdpshell.exe
PID 1140 wrote to memory of 2764	1140	rdpshell.exe
PID 1140 wrote to memory of 2764	1140	rdpshell.exe
PID 1140 wrote to memory of 2592	1140	EhStorAuthn.exe
PID 1140 wrote to memory of 2592	1140	EhStorAuthn.exe
PID 1140 wrote to memory of 2592	1140	EhStorAuthn.exe
PID 1140 wrote to memory of 2632	1140	EhStorAuthn.exe
PID 1140 wrote to memory of 2632	1140	EhStorAuthn.exe
PID 1140 wrote to memory of 2632	1140	EhStorAuthn.exe
PID 1140 wrote to memory of 1896	1140	FXSCOVER.exe
PID 1140 wrote to memory of 1896	1140	FXSCOVER.exe
PID 1140 wrote to memory of 1896	1140	FXSCOVER.exe
PID 1140 wrote to memory of 1564	1140	FXSCOVER.exe
PID 1140 wrote to memory of 1564	1140	FXSCOVER.exe
PID 1140 wrote to memory of 1564	1140	FXSCOVER.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db76e9aef5769f4d7d4ca37b2f0160a8729aacc8fafae46190d58b99b32b1dff.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2760

C:\Users\Admin\AppData\Local\aROCCBh4A\rdpshell.exe
C:\Users\Admin\AppData\Local\aROCCBh4A\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2592

C:\Users\Admin\AppData\Local\Qvp3bB\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\Qvp3bB\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2632

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1896

C:\Users\Admin\AppData\Local\su53k\FXSCOVER.exe
C:\Users\Admin\AppData\Local\su53k\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Qvp3bB\UxTheme.dll

Filesize
680KB

MD5
4cd90f7cf9466f757c3ef24c4b2b21bd

SHA1
32d22ab32c10c3512e575c3595f2458355922bd0

SHA256
1c49d73e2eef0f354e9898cfde6497e2166171741aca50d7667eb4f1b1ac6b7a

SHA512
ce8fdafa568603b3e3ecb192bd7684a860609cd5c82a2d83ef85ddb2d94cf2df8ecc9d6b0964bb25bb72f002cf0a097862906a25bde03f8e413ced3c595d4659

Download Submit
C:\Users\Admin\AppData\Local\aROCCBh4A\WTSAPI32.dll

Filesize
680KB

MD5
50f9b48d74ed18ab00aac2b86fc787dd

SHA1
7c01fbb947023a43cc58e34f836fe75abdcd6bf4

SHA256
1b98e18c89cf8ab4dadf0ecd7ddc30a0658897dab12313e2428a095775e96cf9

SHA512
0c703218db60cfaab0dabd363283c4c0bb66b2ca0697dd8f368853027e475572c632256318b71d738c2827088abc90f85a6aa9edb7fc51c0602a1235182d3c66

Download Submit
C:\Users\Admin\AppData\Local\su53k\MFC42u.dll

Filesize
704KB

MD5
0ef06714d2b166b5ee321056310ad0ca

SHA1
37f25645777a88bc4cc36939175daf75d18a9ffd

SHA256
42a974e2b3c8b0f13195227b6e2ccc3c16976e7cda1697ba03428be61c5da007

SHA512
cd32db0f050b252492e9c0a3b922f0576400c83f16a2192782882a40622818db8bf8ed8cdfb5f2ef023cee96a02c19ae220ef09656c1dd06587cc5aa63799927

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
899B

MD5
a18dd6df2f750f3b9cc75f34a8b03d61

SHA1
633a6ece22c2892e8f9f5249a702d6db88891b81

SHA256
e7544c31d24c30a34d00c32deabccd5ee7e15ff9d4b15a2d150498701ee83403

SHA512
67a90e660014b128b8afa0ec31d7e769659e21a0b4ab1cbb5aa424b49d1ddd8fd962d27f55dfbdd30d33112a3eddce3d4b28b29b098618e2935516c94c025ee4

Download Submit
\Users\Admin\AppData\Local\Qvp3bB\EhStorAuthn.exe

Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
\Users\Admin\AppData\Local\aROCCBh4A\rdpshell.exe

Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\su53k\FXSCOVER.exe

Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/1140-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-47-0x0000000077956000-0x0000000077957000-memory.dmp

Filesize
4KB

Download
memory/1140-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-3-0x0000000077956000-0x0000000077957000-memory.dmp

Filesize
4KB

Download
memory/1140-14-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-13-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-12-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-11-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-10-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-9-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-8-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-27-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/1140-28-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

Filesize
8KB

Download
memory/1140-37-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-39-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1140-25-0x00000000025C0000-0x00000000025C7000-memory.dmp

Filesize
28KB

Download
memory/1140-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-19-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-7-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1140-6-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1564-89-0x000007FEF70D0000-0x000007FEF7180000-memory.dmp

Filesize
704KB

Download
memory/1564-93-0x000007FEF70D0000-0x000007FEF7180000-memory.dmp

Filesize
704KB

Download
memory/2632-72-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2632-73-0x000007FEF70D0000-0x000007FEF717A000-memory.dmp

Filesize
680KB

Download
memory/2632-77-0x000007FEF70D0000-0x000007FEF717A000-memory.dmp

Filesize
680KB

Download
memory/2644-46-0x000007FEF7900000-0x000007FEF79A9000-memory.dmp

Filesize
676KB

Download
memory/2644-0-0x000007FEF7900000-0x000007FEF79A9000-memory.dmp

Filesize
676KB

Download
memory/2644-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2764-60-0x000007FEF79B0000-0x000007FEF7A5A000-memory.dmp

Filesize
680KB

Download
memory/2764-57-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2764-55-0x000007FEF79B0000-0x000007FEF7A5A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads