MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43
SHA3-384 hash: b232917cd71bed66a5804d29e2424956394ce8320fb7b99b9a38b90520753c647a22af94969995eefca380af59724978
SHA1 hash: 0f389723512ef18ba92aa218a2522c00118b6606
MD5 hash: 8624e731b22efb289e7ae1a1d2571f57
humanhash: queen-jersey-lima-muppet
File name:3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43
Download: download sample
Signature Dridex
Create hunting rule
File size:1'359'872 bytes
First seen:2021-09-28 09:20:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6b4c2eec8a93016c63563421e15f011 (66 x Dridex)
ssdeep 12288:mdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0TU51:AMIJxSDX3bqjhcfHk7MzH6zO1
Threatray 71 similar samples on MalwareBazaar
TLSH T10C55E094F677A1CAC4A76DF6EDF86D705A122CC3623047A1CE02D1861B751E4CDF2A27
File icon (PE):PE icon
dhash icon 44b2686938d8cc00 (67 x Dridex)
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43
Verdict:
No threats detected
Analysis date:
2021-09-28 09:42:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14aa7e56-ef08-4dc3-8d60-d1e4fdede713

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192601/
Detection(s):
Win.Dropper.Dridex-9875456-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Launching the process to change the firewall settings
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41984511-2f84-495b-9428-c97df612319c
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/860201
Signature
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1396 Sample: 8hIPR0n66X.dll Startdate: 28/09/2021 Architecture: WINDOWS Score: 84 47 api.msn.com 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Dridex unpacked file 2->53 55 2 other signatures 2->55 8 loaddll64.exe 1 2->8         started        11 mpam-36ef35d2.exe 2->11         started        14 wevtutil.exe 2->14         started        16 18 other processes 2->16 signatures3 process4 dnsIp5 65 Queues an APC in another process (thread injection) 8->65 19 rundll32.exe 8->19         started        22 cmd.exe 1 8->22         started        24 rundll32.exe 8->24         started        26 rundll32.exe 8->26         started        39 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 11->39 dropped 41 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 11->41 dropped 43 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 11->43 dropped 28 MpSigStub.exe 11->28         started        30 conhost.exe 14->30         started        45 127.0.0.1 unknown unknown 16->45 32 conhost.exe 16->32         started        file6 signatures7 process8 signatures9 57 Changes memory attributes in foreign processes to executable or writable 19->57 59 Uses Atom Bombing / ProGate to inject into other processes 19->59 34 explorer.exe 19->34 injected 36 rundll32.exe 22->36         started        process10 signatures11 61 Changes memory attributes in foreign processes to executable or writable 36->61 63 Uses Atom Bombing / ProGate to inject into other processes 36->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43/
Threat name:
Win64.Trojan.Injexa
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 20:42:00 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
1724ff9ba5628de250ba08b8aa9e22f2d8dd1ef1202db2aa431092830b9096cd
Dridex
3a6bc629f279b82e918fda979158e9862615771b5bf162280c96358952be05df
Dridex
3bd1435d754a8c551c78784e9c8a52f04f9e2c8837b3ce23f85905ac0b1be8a4
Dridex
73541b82ca26c8c60a84354c657c42bd2ece5cfad3f49437a927b4265234b9da
Dridex
791fc1aa65ec3ae85a5441497344eed922c7e03720d086a58f17a63e038a6427
Dridex
9ca7950a5bf2478775f2f4a5286987e8dfcd4a5fbc7b4b535e9f6a63083866d4
Dridex
bf2a4d1b25a38df42987a0b0478f0325620b505067fbeb81a2fabbc01f80e272
Dridex
cc7570a8f00ca7bb7fcbf3b585f1125b7ca7c2214064ca9bf8bcbddad224823c
Dridex
e68f928700b4296f2c389892bb68dfd844f5344d773af12245dae587e2e42257
Dridex
ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
Dridex
+ 61 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210928-lbdjwabeaj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Payload
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43
MD5 hash:
8624e731b22efb289e7ae1a1d2571f57
SHA1 hash:
0f389723512ef18ba92aa218a2522c00118b6606
Link:
https://www.unpac.me/results/6dfbd9de-d36f-4a7f-b477-a526471370ea/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3e819a18706d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/3e819a18706dde48651ad2943709f9976e3fb3257b555dcdbbe493f196621f43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192601/

Comments