MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33
SHA3-384 hash: 9d204a221b061f3aef5a1a6613d1564ff623234ea0d42d64138e012c8ae606f211e575ab8d2f6044b53762a18dbd2ec1
SHA1 hash: 2762c8987dcddc8b0fe34d910cfb6441b88f63e8
MD5 hash: 2914c084f069919968829269441531e0
humanhash: sad-floor-pasta-potato
File name:c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33
Download: download sample
Signature Dridex
Create hunting rule
File size:606'208 bytes
First seen:2021-05-07 15:24:26 UTC
Last seen:2021-05-07 16:13:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 352ef09cba749f03b764f68f09f1bccd (1 x Dridex)
ssdeep 12288:nWbIA+iSwlXl8OUrgRUKpsruuw7GLPBng7ym50QO3/z/2lTkt05h0T:Wbh1Swl1+h0sauw7GLPBng7ym50QOPzt
Threatray 18 similar samples on MalwareBazaar
TLSH 76D4E111C2E9430DE64E743AD8ABEF323AB12B7A1F004947D3089573979A5749CB89F6
Reporter JasonMilletary
Tags:dll Dridex main

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Troj.Dridex-ABY.19414.24803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Sending a UDP request
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Forced shutdown of a browser
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/719407
Signature
Changes memory attributes in foreign processes to executable or writable
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Queues an APC in another process (thread injection)
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408635 Sample: WgU3kSKb4s.dll Startdate: 09/05/2021 Architecture: WINDOWS Score: 68 28 Multi AV Scanner detection for submitted file 2->28 7 loaddll64.exe 1 2->7         started        10 explorer.exe 2 154 2->10         started        12 explorer.exe 122 2->12         started        14 4 other processes 2->14 process3 signatures4 32 Changes memory attributes in foreign processes to executable or writable 7->32 34 Queues an APC in another process (thread injection) 7->34 16 cmd.exe 1 7->16         started        18 explorer.exe 7->18 injected 21 explorer.exe 7->21 injected 23 explorer.exe 7->23 injected 36 Uses Windows timers to delay execution 10->36 38 Potential time zone aware malware 10->38 process5 signatures6 25 rundll32.exe 16->25         started        30 Found potential dummy code loops (likely to delay analysis) 18->30 process7 signatures8 40 Changes memory attributes in foreign processes to executable or writable 25->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33/
Threat name:
Win64.Trojan.Injexa
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 15:25:19 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2a7d98e350c431dcce79966d10ed36236a0fa0dfa113cec0d629ddb3faa43be2
Dridex
39aeb4b829dbaf57881874eb22330a8eb8440c9dc7dd49db912a0f05377a9c07
Dridex
3aa8b08faadabb153fc00fc7b9445feb34a75e040b1c0e734242b1f76a9dc6db
Dridex
4b2cdc3fa6ed4bc76c8f19b0dfbc7fc013b4e889fabcacf57bbdda9138777f94
Dridex
62c3a9c66466f4bceff1f9d785b832af8f15f4ae1b07ec573ba2f43a0d7db308
Dridex
9243b9644ef74212a00a79968b2f04c040824aeb470e7d3b4e76d57f1e415f2a
Dridex
b1afe9e1801792dfe96eb0a6c71aa98f82067c5454526a7a524a41d5bb8814ac
Dridex
bb881851c401f18651d160438cc157a01d27640b081b7b8c909b222986948682
Dridex
c9ac5bb27067f557bfe685c0f56e7f0c2c14cc20bfbcb630561edc266ab27fd3
Dridex
ca59948cbaec960d7b31ff1239c58d169b50dec11e57ab6201754362bf71b5fe
Dridex
+ 8 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion loader persistence trojan
Link:
https://tria.ge/reports/210507-zl1md73j5x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Loader
Dridex
Unpacked files
SH256 hash:
c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33
MD5 hash:
2914c084f069919968829269441531e0
SHA1 hash:
2762c8987dcddc8b0fe34d910cfb6441b88f63e8
Link:
https://www.unpac.me/results/3f446236-b58a-47f6-a289-b0cdb84e0953/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dridex
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8880031f4a5f26ce43980ff969dea0afffac76bb6ca621af8cb304324ce2b33

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 15:59:32 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [C0026.002] Data Micro-objective::XOR::Encode Data