MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4646aea4e66e01fc0f7b672c93884abdd152491328c2f7a0e4877a6f9046dd3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4646aea4e66e01fc0f7b672c93884abdd152491328c2f7a0e4877a6f9046dd3e
SHA3-384 hash: 506428c26d5018f79fa95c70ee561c8beb4db40e89b62bc6182fd585e50fe67abd62773296e64a8acb8e2d4391af7328
SHA1 hash: ec813407f7104c3472e2eadf308e54370628cb83
MD5 hash: 25ea32f18ed225cdb57f60612a099800
humanhash: magazine-stairway-indigo-fifteen
File name:74b8bbe22ee44997019c42ec4060592d
Download: download sample
Signature Dridex
Create hunting rule
File size:712'704 bytes
First seen:2020-11-17 11:28:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash daeb17ffecbd12b9db25ed438289b776 (1 x Dridex)
ssdeep 6144:Ywh1CV4eaaJeKZonqiZQlSbQaVdFM4QAdZIF8WrlPNcAGbbhJscqTh5N9DfSDaTU:YMCxeKZfFo9M5HBlPNofhJBqZ9De
Threatray 2 similar samples on MalwareBazaar
TLSH 5EE401D3F3212E96CFA7B23780257BA7A2F5B40403D9C3556562BF921E231D60A7B721
Reporter seifreed
Tags:Dridex

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Creating a file in the system32 subdirectories
Moving a file to the system32 subdirectory
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a system process
Unauthorized injection to a browser process
Forced shutdown of a browser
Enabling autorun by creating a file
Result
Verdict:
0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/539346
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Binary contains a suspicious time stamp
Changes memory attributes in foreign processes to executable or writable
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318769 Sample: 74b8bbe22ee44997019c42ec4060592d Startdate: 17/11/2020 Architecture: WINDOWS Score: 84 66 Antivirus / Scanner detection for submitted sample 2->66 68 Machine Learning detection for sample 2->68 70 Drops executables to the windows directory (C:\Windows) and starts them 2->70 72 3 other signatures 2->72 10 loaddll64.exe 1 2->10         started        12 dccw.exe 2->12         started        process3 process4 14 regsvr32.exe 10->14         started        17 cmd.exe 1 10->17         started        signatures5 78 Changes memory attributes in foreign processes to executable or writable 14->78 80 Queues an APC in another process (thread injection) 14->80 19 explorer.exe 12 36 14->19 injected 23 iexplore.exe 2 81 17->23         started        process6 file7 52 C:\Users\user\AppData\Local\Temp\rd3DCA.tmp, PE32+ 19->52 dropped 54 C:\Users\user\AppData\Local\Temp\i73C0.tmp, PE32+ 19->54 dropped 74 Benign windows process drops PE files 19->74 25 dxgiadaptercache.exe 19->25         started        28 cmd.exe 3 19->28         started        31 fodhelper.exe 12 19->31         started        36 4 other processes 19->36 33 iexplore.exe 5 122 23->33         started        signatures8 process9 dnsIp10 76 Changes memory attributes in foreign processes to executable or writable 25->76 56 C:\Users\user\...\dxgiadaptercache.exe, PE32+ 28->56 dropped 38 conhost.exe 28->38         started        40 cmd.exe 31->40         started        60 img.img-taboola.com 33->60 62 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49730, 49731 FASTLYUS United States 33->62 64 7 other IPs or domains 33->64 58 C:\Windows\System32\IV4LUji\dccw.exe, PE32+ 36->58 dropped 42 conhost.exe 36->42         started        44 conhost.exe 36->44         started        46 schtasks.exe 36->46         started        file11 signatures12 process13 process14 48 conhost.exe 40->48         started        50 schtasks.exe 40->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4646aea4e66e01fc0f7b672c93884abdd152491328c2f7a0e4877a6f9046dd3e/
Threat name:
Win64.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 11:29:35 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
Dridex
ff4227323497b89397e3a641de847a9acb4dcce6c7bf0553d6ea2e7e9af51516
Dridex
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet loader persistence
Link:
https://tria.ge/reports/201117-hfn3s6gvl2/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Dridex Loader
Dridex
Unpacked files
SH256 hash:
4646aea4e66e01fc0f7b672c93884abdd152491328c2f7a0e4877a6f9046dd3e
MD5 hash:
25ea32f18ed225cdb57f60612a099800
SHA1 hash:
ec813407f7104c3472e2eadf308e54370628cb83
Link:
https://www.unpac.me/results/d0296675-7f31-406f-a7bf-ce275ad452e3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments