MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 638d61552ef31e3d7cce6712f6b2cda877fd3b853296076dd0d09f6674e9cadb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 638d61552ef31e3d7cce6712f6b2cda877fd3b853296076dd0d09f6674e9cadb
SHA3-384 hash: 3af92c02a3e06b33431761c0d8ad15ef77d305fb65018584a1756c43a4b0051e2ac624afb258b5d2ff3f094881f66a81
SHA1 hash: 4526bf3c8011e6edcdd0ea93ae4066021e9a9d41
MD5 hash: fb6196a0ad3475eeefebd8f3c52b3bad
humanhash: ceiling-undress-wyoming-lake
File name:638d61552ef31e3d7cce6712f6b2cda877fd3b853296076dd0d09f6674e9cadb
Download: download sample
Signature Dridex
Create hunting rule
File size:2'174'976 bytes
First seen:2021-09-24 06:05:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6668be91e2c948b183827f040944057f (1'006 x Dridex)
ssdeep 12288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Threatray 1'026 similar samples on MalwareBazaar
TLSH T1ADA5E120EE69E1E6C6B99F3E9408352317B93D75110D609CC391608F9EF82546E3F9AF
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190966/
Detection(s):
Win.Packed.Razy-9769561-0
Create hunting rule

Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6a8d28d-1209-45cb-8b8b-a1c455dd0515
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857290
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489721 Sample: Tuy7pS3egA Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 7 other processes 8->17 signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 49 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\dwmapi.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\XmlLite.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 9 other files (1 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 MDMAppInstaller.exe 19->25         started        27 omadmclient.exe 19->27         started        29 RecoveryDrive.exe 19->29         started        31 10 other processes 19->31 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/638d61552ef31e3d7cce6712f6b2cda877fd3b853296076dd0d09f6674e9cadb/
Threat name:
Win64.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 06:16:46 UTC
AV detection:
35 of 45 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
0af3d57056580eb2ce6503c353bb007ddab908d40968e5a33086a770431b6ed7
Dridex
0f1815e5302dbda2fb39635ceaeb64be63201336d65ff46184a853a3a130fa41
Dridex
57d827993f62af3fa1fe553bdce016556e7b21039407dee00310c5c929bdc716
Dridex
9a05c94e55a98b836732ffb0481133e211f0060998cd04c0e8e90c9069f4f6d9
Dridex
a623c257fff6e655987378a1df688fd666fb787c0c38392b79af1774282b6c9c
Dridex
bd8eda34944bdde088f555da5f844f37e305a22a4c1a9f58ecbd7c78b4f85207
Dridex
c633b49b9c00977277c54935fe6774a27c18bbbd7d496645259169b9d9251c20
Dridex
d22889807714346d037cf2ad96e45642f50a2598501d888fa0c7300e56a1d337
Dridex
e386764a9c7e902bd8bd81957195a1eafb75a588fb8e260c0b72994fbef5d180
Dridex
f133a2b42820c2fc3c4994e3f1eda9ec14ceaff608ce7b05f7e1834e228b7857
Dridex
+ 1'016 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210924-gtrr1agad5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
638d61552ef31e3d7cce6712f6b2cda877fd3b853296076dd0d09f6674e9cadb
MD5 hash:
fb6196a0ad3475eeefebd8f3c52b3bad
SHA1 hash:
4526bf3c8011e6edcdd0ea93ae4066021e9a9d41
Link:
https://www.unpac.me/results/072f50ca-13e5-4f18-9212-835d07ff01c2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/638d61552ef3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/638d61552ef31e3d7cce6712f6b2cda877fd3b853296076dd0d09f6674e9cadb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190966/

Comments