Overview

overview

10

Static

static

3

afa9c41340...9N.dll

windows7-x64

10

afa9c41340...9N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2025, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll

  • Size

    780KB

  • MD5

    3caa124004a7de62cdbcb2c165e57610

  • SHA1

    9e023d9ad84bc5fe1dee5399d4f7772bf11cae61

  • SHA256

    afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9

  • SHA512

    5368089956fb170ed6cf04d4172843dbe0250484905b3d33d844fbe74bc503873802dadb167aea0d66198e40a8e90ad96cbe3937b6cb930c418c63edc739f4aa

  • SSDEEP

    24576:aWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij:dnuVMK6vx2RsIKNrj

Score
10/10
dridexbotnetdefense_evasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\afa9c41340915e052915ffb037526bfed01e8d7befc8767f4bb8e0fa628365d9N.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1404
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:4824
    • C:\Users\Admin\AppData\Local\BAJ21gAx\rdpshell.exe
      C:\Users\Admin\AppData\Local\BAJ21gAx\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2548
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:2132
      • C:\Users\Admin\AppData\Local\RadE\sigverif.exe
        C:\Users\Admin\AppData\Local\RadE\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2908
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:4056
        • C:\Users\Admin\AppData\Local\nc116mlyE\mblctr.exe
          C:\Users\Admin\AppData\Local\nc116mlyE\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4312

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BAJ21gAx\WINSTA.dll
          Filesize

          788KB

          MD5

          b9ac3c3fde9e900aeb8b745eda1ed178

          SHA1

          1c5640b25e34a697f1c8fbeee052572ac74adff7

          SHA256

          f2bb36fd9c2af01dd8246e6316e757517fd2448012919c4e043058316861d5d7

          SHA512

          aebb5eaf6327c9ca3fab88833b3672f26490f643ab3bb488c9a8fb7997d51e5475ab9ae8e336d24648f49d4549ce9792c4a24286bd5d8bd074cf9ad3e5740639

          Download Submit

        • C:\Users\Admin\AppData\Local\BAJ21gAx\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Local\RadE\VERSION.dll
          Filesize

          780KB

          MD5

          b9859a1d7d1b66884c94dcc486b46ee8

          SHA1

          ac8ba4639fedc1f7bf9312b93d81b94188a3db6e

          SHA256

          fb59951718c3384c3c56cf9764af1f3c56a9e925a1f9581426808625991a9c74

          SHA512

          16989002869d65f968a2cc6645b7f6ee62ee6eee8127578f7d56d7d8104b8d456bb26aaee25a4b8d3d58938186cf7ee86012efa268b6b9dd1bf88afb703a9706

          Download Submit

        • C:\Users\Admin\AppData\Local\RadE\sigverif.exe
          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

          Download Submit

        • C:\Users\Admin\AppData\Local\nc116mlyE\WTSAPI32.dll
          Filesize

          784KB

          MD5

          28fe166677902d8063b334bf913f256e

          SHA1

          2d5f5996f932dd78b9402bac110321efe0fa5640

          SHA256

          d568e12d31af658eb57825546e5cd39c0837f80f327de6ba63a283ba0244eea8

          SHA512

          eebd25bdf921dee6cd139589105d318e36c8babd5c586406a60eecdb668b2ddd0caf19a5846dcbce774c88aefeb2628a6561bac1406e9abbb1918b4d33ae3ba0

          Download Submit

        • C:\Users\Admin\AppData\Local\nc116mlyE\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bnquza.lnk
          Filesize

          1KB

          MD5

          3767f15c98ace0ef504fe435cda324ff

          SHA1

          c3cc70bc585ad81e26dbceb37569345b80294f37

          SHA256

          5dd53cd1576b5fa59dca7aa0dc9b788afae95f5ae2ba5914ed67a61c368962fc

          SHA512

          2816988972b5ea50d38907865ba913ac3baad92969c0c37310591eef6e87df75507fcb2ae8546a51a4a2320e4ba4798bd059792719dec313a40ef2aef1b4bdaa

          Download Submit

        • memory/1404-3-0x000001E881A80000-0x000001E881A87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1404-11-0x00007FF8632A0000-0x00007FF863363000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1404-0-0x00007FF8632A0000-0x00007FF863363000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2548-44-0x00007FF8632A0000-0x00007FF863365000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2548-49-0x000001A6319F0000-0x000001A6319F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2548-50-0x00007FF8632A0000-0x00007FF863365000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2908-67-0x00007FF8632A0000-0x00007FF863363000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2908-65-0x000001A967C60000-0x000001A967C67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-16-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-27-0x00007FF871EC0000-0x00007FF871ED0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-15-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-12-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-33-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-10-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-9-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-8-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-7-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-22-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-14-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-26-0x0000000000600000-0x0000000000607000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-35-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-13-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/3436-4-0x0000000000930000-0x0000000000931000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-5-0x00007FF87103A000-0x00007FF87103B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4312-83-0x00007FF8632A0000-0x00007FF863364000-memory.dmp

          Filesize

          784KB

          Download

        • memory/4312-78-0x00007FF8632A0000-0x00007FF863364000-memory.dmp

          Filesize

          784KB

          Download