MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db
SHA3-384 hash: 087d0dba96b01ce675283c2c55cc1f4bd904b75f8d067949e4fd6065970f92293a3a7cc9b8ed0dfbe59c5f43016bd5da
SHA1 hash: 064d4d20839baa90798a089c385f648b2ac64448
MD5 hash: 542c37df19770a5bb480b311692b1d87
humanhash: kitten-low-oklahoma-paris
File name:542c37df_by_Libranalysis
Download: download sample
Signature Dridex
Create hunting rule
File size:618'496 bytes
First seen:2021-04-30 17:01:58 UTC
Last seen:2021-04-30 18:03:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb81e7dcd245efc3f19de8a19bc0e3bd (1 x Dridex)
ssdeep 12288:tlcGwuSndFvX3NaNIeSbonswPDM5elFUHUK1t80T:tlsdtjrUsf/N
Threatray 17 similar samples on MalwareBazaar
TLSH EFD4E117D17CFACED5748AB6C9F428B5B07A381B840893CCA6AC95CC7DBD159CF19A20
Reporter Libranalysis
Tags:Dridex


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147673/
Detection(s):
SecuriteInfo.com.Troj.Dridex-ABY.251.4186.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Sending a UDP request
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Forced shutdown of a browser
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/705298
Signature
Changes memory attributes in foreign processes to executable or writable
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Queues an APC in another process (thread injection)
Sigma detected: Fireball Archer Install
Sigma detected: Koadic Execution
Sigma detected: Mustang Panda Dropper
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Rundll32 Invoking Inline VBScript
Sigma detected: Suspicious WMI Execution Using Rundll32
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401573 Sample: 542c37df_by_Libranalysis Startdate: 30/04/2021 Architecture: WINDOWS Score: 96 33 Multi AV Scanner detection for submitted file 2->33 35 Machine Learning detection for sample 2->35 37 Sigma detected: Suspicious Call by Ordinal 2->37 39 5 other signatures 2->39 8 loaddll64.exe 1 2->8         started        11 explorer.exe 2->11         started        13 explorer.exe 2->13         started        16 3 other processes 2->16 process3 dnsIp4 43 Changes memory attributes in foreign processes to executable or writable 8->43 45 Queues an APC in another process (thread injection) 8->45 18 explorer.exe 8->18 injected 21 cmd.exe 1 8->21         started        23 explorer.exe 8->23 injected 25 explorer.exe 8->25 injected 47 Uses Windows timers to delay execution 11->47 49 Potential time zone aware malware 11->49 31 192.168.2.1 unknown unknown 13->31 signatures5 process6 signatures7 41 Found potential dummy code loops (likely to delay analysis) 18->41 27 rundll32.exe 21->27         started        process8 process9 29 explorer.exe 27->29 injected
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 17:02:24 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2a7d98e350c431dcce79966d10ed36236a0fa0dfa113cec0d629ddb3faa43be2
Dridex
32733ed8cd439e049bff41a12686f66ddccf558a7ab68f4bfc014ec66bd0725b
Dridex
39aeb4b829dbaf57881874eb22330a8eb8440c9dc7dd49db912a0f05377a9c07
Dridex
3ddb6d9dde6a6d38745c271e6ff4b6c045beabafa2fe9a607ac7b183a51cb9cf
Dridex
4edb85bc25603bb33ddfec00d3258176ea15a736b566b01c298269333bf2b445
Dridex
62c3a9c66466f4bceff1f9d785b832af8f15f4ae1b07ec573ba2f43a0d7db308
Dridex
791fc1aa65ec3ae85a5441497344eed922c7e03720d086a58f17a63e038a6427
Dridex
ca59948cbaec960d7b31ff1239c58d169b50dec11e57ab6201754362bf71b5fe
Dridex
d3096ae1aff66b900c5cc8e733e213cda2d01c55848aa8e91dec57f97cb95182
Dridex
d98e07cfa7163a044ebc9b5d16bd57ee54030941a9fc1564d76b2f6c655573e4
Dridex
+ 7 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion loader persistence trojan
Link:
https://tria.ge/reports/210430-wgl1qe9vra/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Loader
Dridex
Unpacked files
SH256 hash:
3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db
MD5 hash:
542c37df19770a5bb480b311692b1d87
SHA1 hash:
064d4d20839baa90798a089c385f648b2ac64448
Link:
https://www.unpac.me/results/0de37902-949b-4222-8040-550d645b6e09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147673/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 18:06:03 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0026.002] Data Micro-objective::XOR::Encode Data