MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94
SHA3-384 hash: 177013600d68b662da51eab29460778e99fa35007a4e33e7b9a33284fa6382cbdec5ebd5191b757f916e27194aa651f2
SHA1 hash: 25eca09700ceda5407c18c7aa5435d1fae3bf54c
MD5 hash: 82aaeb9c070a39486bae4bab28e835a7
humanhash: juliet-sierra-batman-gee
File name:bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94
Download: download sample
Signature Dridex
Create hunting rule
File size:1'241'088 bytes
First seen:2021-09-14 06:38:59 UTC
Last seen:2021-09-14 08:09:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 187f0508c7076d45494fb200ed16a8e7 (3 x Dridex)
ssdeep 24576:5TEqOo6qzOst9D9GDeIwvXKgMuJS0WQKz:glqzYDeIwtT80
Threatray 34 similar samples on MalwareBazaar
TLSH T10F45E18ADBB332CCFA5B54384581C7B770DAFC6740392381EFCAD6989F4AAD85D54128
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94
Verdict:
No threats detected
Analysis date:
2021-09-14 06:46:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/429df071-fbb5-4597-9473-28d763760e18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187704/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46964432.1826.28648.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Launching the process to change the firewall settings
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61750b3bdb358dd15ed92119/reports/a27446bb-35cd-49aa-83a1-3ae5343bc90d/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1058d460-08fe-4ca0-95c2-6b5b3b97d284
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/850469
Signature
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482898 Sample: jIUM4pyxrk Startdate: 14/09/2021 Architecture: WINDOWS Score: 84 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Dridex unpacked file 2->47 49 2 other signatures 2->49 8 loaddll64.exe 1 2->8         started        10 explorer.exe 2->10         started        12 rundll32.exe 2->12         started        14 explorer.exe 2->14         started        process3 process4 16 rundll32.exe 8->16         started        19 cmd.exe 1 8->19         started        21 iexplore.exe 2 74 8->21         started        23 16 other processes 8->23 signatures5 39 Changes memory attributes in foreign processes to executable or writable 16->39 41 Uses Atom Bombing / ProGate to inject into other processes 16->41 25 rundll32.exe 19->25         started        28 iexplore.exe 135 21->28         started        process6 dnsIp7 51 Queues an APC in another process (thread injection) 25->51 31 explorer.exe 25->31 injected 33 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49807, 49808 YAHOO-DEBDE United Kingdom 28->33 35 geolocation.onetrust.com 104.20.185.68, 443, 49758, 49759 CLOUDFLARENETUS United States 28->35 37 10 other IPs or domains 28->37 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94/
Threat name:
Win64.Trojan.Injexa
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 01:34:54 UTC
File Type:
PE+ (Dll)
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
39aeb4b829dbaf57881874eb22330a8eb8440c9dc7dd49db912a0f05377a9c07
Dridex
3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db
Dridex
7ba44f9bf826852b97d7fd37af4450957684acdea533f27440e8bfb5db1cd729
Dridex
7f0f199833687549249b22ec50bbcb234d2ad2b8da993a6cbc86db8a53236530
Dridex
9d941be63812c1b2be63a0bd33a8d8a84842ff19220f626039f783c2ef2e747e
Dridex
9e7156a3ee3d864ea24daa5db9c90bc9505e034ed45dab8115490fda05c113d9
Dridex
aaf2fc168d40d3cb6ceca9a96a6aa61cb7a76afe08724bbfcd18d279098d6bfd
Dridex
c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33
Dridex
ca59948cbaec960d7b31ff1239c58d169b50dec11e57ab6201754362bf71b5fe
Dridex
+ 24 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210914-hen81aabeq/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Payload
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94
MD5 hash:
82aaeb9c070a39486bae4bab28e835a7
SHA1 hash:
25eca09700ceda5407c18c7aa5435d1fae3bf54c
Link:
https://www.unpac.me/results/f0df3924-1c88-422e-aa0c-792f37e6cb98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/bbb2f48e2be5a9781f41d206815d7eedba887afe8ed916e5b4bdc863b7bf6c94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187704/

Comments