MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
SHA3-384 hash: 2edbde86416376f8f68ef08f378b08db65c5a9a3fb6eaabff18988efb4e2b66cf7ddaad1a95d2c24290a595097648716
SHA1 hash: 38ac582b64fb09f212aceddf5e3cc13946c69985
MD5 hash: 93394d6e0ea894922267955095fabbc9
humanhash: music-king-blue-foxtrot
File name:93394d6e_by_Libranalysis
Download: download sample
File size:602'112 bytes
First seen:2021-05-10 18:05:19 UTC
Last seen:2021-05-10 19:13:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9492b94f5d5a5ef7d6070716325e88dc
ssdeep 12288:3prLPez1SBV5ulap9F2dXhkdVFflxKrqEsr0LsPju0T:Fc1SBV5ai9SeKOEBsb
Threatray 55 similar samples on MalwareBazaar
TLSH C7D4F1838AD08E06F5C92DF0451789772D51B8B68134A3098E71C2BFDF1C668E235BDB
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154362/
Detection(s):
SecuriteInfo.com.Troj.Dridex-ABY.8426.5222.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Sending a UDP request
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Forced shutdown of a browser
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/777688
Signature
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
DLL side loading technique detected
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected PersistenceViaHiddenTask
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410086 Sample: 93394d6e_by_Libranalysis.dll Startdate: 10/05/2021 Architecture: WINDOWS Score: 72 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected PersistenceViaHiddenTask 2->47 7 loaddll64.exe 1 2->7         started        10 explorer.exe 28 212 2->10         started        14 irftp.exe 2->14         started        process3 dnsIp4 49 Changes memory attributes in foreign processes to executable or writable 7->49 51 Queues an APC in another process (thread injection) 7->51 16 explorer.exe 7->16 injected 19 cmd.exe 1 7->19         started        21 explorer.exe 7->21 injected 41 192.168.2.1 unknown unknown 10->41 33 C:\Users\...\SystemPropertiesAdvanced.exe, PE32+ 10->33 dropped 35 C:\Users\user\AppData\Roaming\...\SYSDM.CPL, PE32+ 10->35 dropped 37 C:\Users\user\AppData\Roaming\...\irftp.exe, PE32+ 10->37 dropped 39 11 other files (none is malicious) 10->39 dropped 53 DLL side loading technique detected 10->53 23 irftp.exe 10->23         started        25 irftp.exe 10->25         started        27 SystemPropertiesAdvanced.exe 10->27         started        29 8 other processes 10->29 file5 signatures6 process7 signatures8 43 Benign windows process drops PE files 16->43 31 rundll32.exe 19->31         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 18:06:19 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
39aeb4b829dbaf57881874eb22330a8eb8440c9dc7dd49db912a0f05377a9c07
3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db
4b2cdc3fa6ed4bc76c8f19b0dfbc7fc013b4e889fabcacf57bbdda9138777f94
62c3a9c66466f4bceff1f9d785b832af8f15f4ae1b07ec573ba2f43a0d7db308
791fc1aa65ec3ae85a5441497344eed922c7e03720d086a58f17a63e038a6427
9243b9644ef74212a00a79968b2f04c040824aeb470e7d3b4e76d57f1e415f2a
c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33
c9ac5bb27067f557bfe685c0f56e7f0c2c14cc20bfbcb630561edc266ab27fd3
ca59948cbaec960d7b31ff1239c58d169b50dec11e57ab6201754362bf71b5fe
d98e07cfa7163a044ebc9b5d16bd57ee54030941a9fc1564d76b2f6c655573e4
+ 45 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion loader persistence trojan
Link:
https://tria.ge/reports/210510-ncy7w9kqte/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Loader
Dridex
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154362/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 18:59:50 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing