Overview

overview

10

Static

static

3

dac160c6d3...f1.dll

windows7-x64

10

dac160c6d3...f1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dac160c6d30f4ea4ee0bfa29faf72f93de7bf24340286ad025ab16fb007a17f1.dll

  • Size

    716KB

  • MD5

    1495a2d3a5052564d2318936861a0530

  • SHA1

    df2db259ff86f00d6b52836e757565346cb77f48

  • SHA256

    dac160c6d30f4ea4ee0bfa29faf72f93de7bf24340286ad025ab16fb007a17f1

  • SHA512

    5319b738bb4922b00e5ad97708c83ce0bc8166b04ed24c89d2f50c510f6e91777bc9c1e04e48ceed6363cfe52abf34dd31186099251da3899b18456b4d4a0d59

  • SSDEEP

    12288:ROCRucgLs3bu9FRcOL5yEPAIiCj6ELV32KrXZiQJ8cXFpoTj:cCroYbu9FvAEPAIiy6ELV32KlFs

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dac160c6d30f4ea4ee0bfa29faf72f93de7bf24340286ad025ab16fb007a17f1.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1656
  • C:\Windows\system32\CustomShellHost.exe
    C:\Windows\system32\CustomShellHost.exe
    1⤵
      PID:916
    • C:\Users\Admin\AppData\Local\sLIOK\CustomShellHost.exe
      C:\Users\Admin\AppData\Local\sLIOK\CustomShellHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3156
    • C:\Windows\system32\bdeunlock.exe
      C:\Windows\system32\bdeunlock.exe
      1⤵
        PID:1544
      • C:\Users\Admin\AppData\Local\Jj3X\bdeunlock.exe
        C:\Users\Admin\AppData\Local\Jj3X\bdeunlock.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3624
      • C:\Windows\system32\rdpinput.exe
        C:\Windows\system32\rdpinput.exe
        1⤵
          PID:5076
        • C:\Users\Admin\AppData\Local\KrFAc2tbA\rdpinput.exe
          C:\Users\Admin\AppData\Local\KrFAc2tbA\rdpinput.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Jj3X\DUser.dll
          Filesize

          724KB

          MD5

          f7d79acefecc3ae0ef9fc29c73fade0f

          SHA1

          041130a0aa6c5eebaa6ab062bf611eeaf4563ae9

          SHA256

          424973afd72b81b5dac38cc1ab6778fdc7a2ab160490cec08798b948862d02c0

          SHA512

          7c7cc10aa40fe96b40954954101fdb3a62e20640688a64dc9517eff10f3006e92e2cd09ae35614c2d0b46e4af22e6f9b7ef68a26174495eb129c555ae9e84e5c

          Download Submit

        • C:\Users\Admin\AppData\Local\Jj3X\bdeunlock.exe
          Filesize

          279KB

          MD5

          fef5d67150c249db3c1f4b30a2a5a22e

          SHA1

          41ca037b0229be9338da4d78244b4f0ea5a3d5f3

          SHA256

          dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

          SHA512

          4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

          Download Submit

        • C:\Users\Admin\AppData\Local\KrFAc2tbA\WTSAPI32.dll
          Filesize

          720KB

          MD5

          f30e08ba88a4c7b250a5c11f8ef3d9a6

          SHA1

          559b1cb31e75c692da3e93e4dacf5413aed19511

          SHA256

          8a87b2d285eb23e525153bc89c1d25d520fbee848c9cf9eb94687e088a1f0c28

          SHA512

          02e7616173960b0c76fbcea9a8b945e284cacee65ea8dfb8f65acb02a7abdf509393e927440b2b6fd1e5fa1f4b1c9503a88868fa5cfccec8054f9a5f567e7c56

          Download Submit

        • C:\Users\Admin\AppData\Local\KrFAc2tbA\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Local\sLIOK\CustomShellHost.exe
          Filesize

          835KB

          MD5

          70400e78b71bc8efdd063570428ae531

          SHA1

          cd86ecd008914fdd0389ac2dc00fe92d87746096

          SHA256

          91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

          SHA512

          53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

          Download Submit

        • C:\Users\Admin\AppData\Local\sLIOK\WTSAPI32.dll
          Filesize

          720KB

          MD5

          36b09f8671f5eda1cd02bb4ba3d3db48

          SHA1

          a53f0e65957e053a3af70f4a23d21cd9d1a7922f

          SHA256

          4b395e492f5a66e4b889b3cd7af81d8d6feca62bec8b8a796fe36e6bf1913ce8

          SHA512

          46fd44ca7da8f484f2b56f17ebc591c606f1ba1a3c38c31063ed193ea9e88d5ec71634a468c56ec288d78e86f4be99bf2a4ca20c37a05817be589a6ec3d915fb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          8c4a34b99805d0b52ebe3b8dbb2ec818

          SHA1

          8e850a1356bd1ce6e27e05704d12e69805bbde70

          SHA256

          79efde1942445e5df976e37c2f69cd854edfdfcf54c797630f968656964f08ed

          SHA512

          54960a87d6804eb6994d8c62babb7d4b623999040cef772cea68fea795be50f6e7c4e221f101220df79142c8f6aaa4f753cd2d012f11b65eb39822b3301d6256

          Download Submit

        • memory/1656-2-0x00000189B8250000-0x00000189B8257000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1656-38-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1656-0-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/2992-81-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3156-47-0x0000018D64230000-0x0000018D64237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3156-45-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3156-50-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3520-23-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-3-0x00000000023F0000-0x00000000023F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-10-0x00007FFC0F9DA000-0x00007FFC0F9DB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-35-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-24-0x00007FFC10C60000-0x00007FFC10C70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-5-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3520-25-0x00007FFC10C50000-0x00007FFC10C60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-28-0x00000000004E0000-0x00000000004E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3624-66-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3624-62-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3624-61-0x00000236E4A00000-0x00000236E4A07000-memory.dmp

          Filesize

          28KB

          Download