Overview

overview

10

Static

static

3

fe04562ba3...aN.dll

windows7-x64

10

fe04562ba3...aN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2025 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843aN.dll

  • Size

    804KB

  • MD5

    0f413d5ba9a89182b758896df48db410

  • SHA1

    7a1fbfde26fd73a4d27a71bd4300392c3b2dadf7

  • SHA256

    fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843a

  • SHA512

    1a083ad20a5def7fef52dba3327e968aa288105b1820c5639d80b488d38e50e0c0005f085233d70f22600e3cda8079e60db4f5b541f28636686505d47bf6126f

  • SSDEEP

    12288:YbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQeB:Ybe42XV7KWgmjDR/T4a/Mdjmv

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fe04562ba37a35c4d3c0f44c1e721f24078eaa70c8bd1ceb7c6ac6a6f1d2843aN.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1672
  • C:\Windows\system32\RDVGHelper.exe
    C:\Windows\system32\RDVGHelper.exe
    1⤵
      PID:2656
    • C:\Users\Admin\AppData\Local\8W8n7Ov\RDVGHelper.exe
      C:\Users\Admin\AppData\Local\8W8n7Ov\RDVGHelper.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3020
    • C:\Windows\system32\irftp.exe
      C:\Windows\system32\irftp.exe
      1⤵
        PID:2684
      • C:\Users\Admin\AppData\Local\eqjSC2d\irftp.exe
        C:\Users\Admin\AppData\Local\eqjSC2d\irftp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2524
      • C:\Windows\system32\p2phost.exe
        C:\Windows\system32\p2phost.exe
        1⤵
          PID:1408
        • C:\Users\Admin\AppData\Local\IPv4jYHr\p2phost.exe
          C:\Users\Admin\AppData\Local\IPv4jYHr\p2phost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1792

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8W8n7Ov\dwmapi.dll
          Filesize

          804KB

          MD5

          8327a65f8506d061b99800351346d102

          SHA1

          e2b3b143f2606f2757fbce88ebd3ca58a3701182

          SHA256

          fb37875c458f3bd6ab30dbb956b48ecc514fba0bb471d4fe836c094167630bb3

          SHA512

          0cc432b823efef0e486b2b94917acecfa3411f5820dfcbcdc704fd5e0936576508f99140371df6d7449be73f81d4b02f6c055d12b1d1b84828ada36cb4986062

          Download Submit

        • C:\Users\Admin\AppData\Local\IPv4jYHr\P2PCOLLAB.dll
          Filesize

          808KB

          MD5

          58035107741baf15632768e2c2551bf6

          SHA1

          c44339fa78d87928fdd70d1bc87e139440511685

          SHA256

          50881deb5d7a95ea037fd71f5b9124aad5a648f5c03049a6a0354709c76d6216

          SHA512

          e5359c1ee06073ac06dfaa8411275fe6d5a271c7d951f805c319302d90815bc2039c3c1acc700f7635ed6e3f48ef59d908ecd2feb975e84fe4c98de6fec49b21

          Download Submit

        • C:\Users\Admin\AppData\Local\eqjSC2d\MFC42u.dll
          Filesize

          832KB

          MD5

          05fe95d8e35e5ef4f63a2bbcc824357d

          SHA1

          a48748a0c2aa4f17419e3f82c1fee7859f0ac707

          SHA256

          f88e0665194a1ea13e6adb32e9346bef99adcffc9680cdc306d62eec2b9e9b47

          SHA512

          a088070f54bea58e2a5a3a79f4e84c2ca6e08f6c111e47c380bd964494a9f85902194bf4a890d2ce9fe0411e0ed64cd195a00136c5a5f0887df900b394a59e26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          818d4c029fe1cdc44fa3fde253614c4b

          SHA1

          d4674395492dbebb2e9bf495482778e4b8fc7b16

          SHA256

          4a75f39ee8097d721c8574eb5842d6ca9c673410c4f974a194e9a9b3c133e0e2

          SHA512

          129faad869910cfcd40cb36aecea51af6748fd2e81bde0479229f01ff1404d924de1504d5a3d011a77cadff97ef1e5a7a6b745ef21a37cdbcb23ea6984f58a31

          Download Submit

        • \Users\Admin\AppData\Local\8W8n7Ov\RDVGHelper.exe
          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

          Download Submit

        • \Users\Admin\AppData\Local\IPv4jYHr\p2phost.exe
          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

          Download Submit

        • \Users\Admin\AppData\Local\eqjSC2d\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • memory/1220-38-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-7-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-26-0x0000000077181000-0x0000000077182000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-15-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-14-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-13-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-106-0x0000000077076000-0x0000000077077000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-11-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-10-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-8-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-34-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-4-0x0000000077076000-0x0000000077077000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-43-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-22-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-23-0x00000000025B0000-0x00000000025B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1220-27-0x00000000772E0000-0x00000000772E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1220-9-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1220-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1672-0-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1672-12-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1672-3-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1792-88-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1792-89-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/1792-94-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/2524-70-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2524-76-0x0000000140000000-0x00000001400D0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/2524-71-0x0000000140000000-0x00000001400D0000-memory.dmp

          Filesize

          832KB

          Download

        • memory/3020-58-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3020-55-0x00000000000E0000-0x00000000000E7000-memory.dmp

          Filesize

          28KB

          Download