← Back to malware index
Dridex (2017 wave)
Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.
4 syscalls cited
- NtAddAtom
Adds (or refcount-increments) a string in the global kernel atom table and returns its 16-bit atom ID.
- NtFindAtom
Looks up an existing global atom by name and returns its 16-bit ID without incrementing the refcount.
- NtDeleteAtom
Decrements the reference count of a global atom and removes it when the count reaches zero.
- NtQueryInformationAtom
Returns metadata about a single atom or the entire global atom table — name, refcount, pin count, usage counts.