MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9438a2138c39133aec93e25e79e6ba49cf6b575df5fad4a15e9cc43af45a6c69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9438a2138c39133aec93e25e79e6ba49cf6b575df5fad4a15e9cc43af45a6c69
SHA3-384 hash: c9147d8f6cfa8979e6ceae87b246fdac9e2112a46df5e5fa06a9b8c586f24d345f60bfd66db5480410c0bb5feac4b32c
SHA1 hash: dd5d735ed4c43b7736382141aa3ccf747fc81082
MD5 hash: 5f2976d3f433b4838dd32e53850c263b
humanhash: maine-pip-steak-nebraska
File name:9438a2138c39133aec93e25e79e6ba49cf6b575df5fad4a15e9cc43af45a6c69
Download: download sample
Signature Dridex
Create hunting rule
File size:3'452'928 bytes
First seen:2021-09-23 06:37:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6668be91e2c948b183827f040944057f (1'006 x Dridex)
ssdeep 12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Threatray 960 similar samples on MalwareBazaar
TLSH T12CF5E020EE69E1E6C6B89F3E9408352717B93D75110D618CC392704F9EF82546E3E9AE
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190533/
Detection(s):
Win.Packed.Razy-9769561-0
Create hunting rule

Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6d58a69-dc75-413a-8748-a6a2e2649c9f
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856210
Signature
Accesses ntoskrnl, likely to find offsets for exploits
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488638 Sample: FkDtzmgy7e Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 signatures4 54 Changes memory attributes in foreign processes to executable or writable 8->54 56 Uses Atom Bombing / ProGate to inject into other processes 8->56 58 Queues an APC in another process (thread injection) 8->58 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 17 other processes 8->18 process5 signatures6 60 Changes memory attributes in foreign processes to executable or writable 11->60 62 Uses Atom Bombing / ProGate to inject into other processes 11->62 20 explorer.exe 2 91 11->20 injected 24 rundll32.exe 16->24         started        process7 file8 34 C:\Users\user\AppData\Local\...\WINMM.dll, PE32+ 20->34 dropped 36 C:\Users\user\AppData\Local\...\HID.DLL, PE32+ 20->36 dropped 38 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 20->38 dropped 40 37 other files (11 malicious) 20->40 dropped 50 Benign windows process drops PE files 20->50 52 Accesses ntoskrnl, likely to find offsets for exploits 20->52 26 msdt.exe 20->26         started        28 msdt.exe 20->28         started        30 dccw.exe 20->30         started        32 4 other processes 20->32 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9438a2138c39133aec93e25e79e6ba49cf6b575df5fad4a15e9cc43af45a6c69/
Threat name:
Win64.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 00:42:43 UTC
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
01c5a827692493f08f8719a7275c394199223ce2cbec50c7ebf83ff655c72f30
Dridex
07f86927fdb2ecf03db729418e0e9e7ac34b6cb807dd816de79db4fd19ae4a4b
Dridex
0951c9088fbbdc0f4eccaa2a3329c7f886e9d914992b57a926c4e6ba6fcf8f38
Dridex
0af3d57056580eb2ce6503c353bb007ddab908d40968e5a33086a770431b6ed7
Dridex
2fc71bbf53f3158b6f57ad938820666d68699800e812d4f2f6cc7fc70bb7afa8
Dridex
429ad522901cf382e8dadb952a8663f535f5f42086654dd81da3e6ded31927d3
Dridex
5356480661099bd38b6d3fb6259970f93245c21f7d9c7671205c9d735a773844
Dridex
c8b515be222c5ed644a449557d40cadbef722d8e53d0d248856076381400654a
Dridex
e386764a9c7e902bd8bd81957195a1eafb75a588fb8e260c0b72994fbef5d180
Dridex
e7b8493634d1319d62fe47d27b252923d40bbe29b793f8eb65dea02393052fbb
Dridex
+ 950 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210923-hd3p1ahgfj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
9438a2138c39133aec93e25e79e6ba49cf6b575df5fad4a15e9cc43af45a6c69
MD5 hash:
5f2976d3f433b4838dd32e53850c263b
SHA1 hash:
dd5d735ed4c43b7736382141aa3ccf747fc81082
Link:
https://www.unpac.me/results/55dc06d8-c6ee-4832-a153-141b0d4ea6a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/9438a2138c39133aec93e25e79e6ba49cf6b575df5fad4a15e9cc43af45a6c69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190533/

Comments