MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882
SHA3-384 hash: 8ad16480e640a9fa81abb25ab8c0c55f8e8a403673a658c1d769d5fb4889d0d93226770b71d46f71eb04ea3c77faf838
SHA1 hash: 77b3f79fbc2b8aa138b8514b840cfa3784ea2218
MD5 hash: 1fb0895c663550136834c57d9ec7a69e
humanhash: five-burger-muppet-solar
File name:79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882
Download: download sample
Signature Dridex
Create hunting rule
File size:851'968 bytes
First seen:2021-09-30 11:15:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6b4c2eec8a93016c63563421e15f011 (66 x Dridex)
ssdeep 12288:4dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:SMIJxSDX3bqjhcfHk7MzH6z
Threatray 83 similar samples on MalwareBazaar
TLSH T1D105E094B677A1CAC4A76DF6EDF86D706A122CC3623047A1CE02D1871B751E4CDF2A27
File icon (PE):PE icon
dhash icon 44b2686938d8cc00 (67 x Dridex)
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882
Verdict:
No threats detected
Analysis date:
2021-09-30 23:00:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2532741-e48f-4c28-ae64-46fd72ed514f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193499/
Detection(s):
Win.Dropper.Dridex-9875456-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Launching the process to change the firewall settings
Creating a process with a hidden window
Reading critical registry keys
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9db58140-3d19-4db0-99b1-23f6dc583f6b
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/861809
Signature
Antivirus / Scanner detection for submitted sample
Changes memory attributes in foreign processes to executable or writable
Creates files in the system32 config directory
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431 Sample: uM6DtKiKqd.dll Startdate: 30/09/2021 Architecture: WINDOWS Score: 96 30 dlassets-ssl.xboxlive.com 2->30 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Dridex unpacked file 2->38 40 2 other signatures 2->40 8 loaddll64.exe 1 2->8         started        11 explorer.exe 2->11         started        13 svchost.exe 2->13         started        15 16 other processes 2->15 signatures3 process4 dnsIp5 42 Changes memory attributes in foreign processes to executable or writable 8->42 44 Uses Atom Bombing / ProGate to inject into other processes 8->44 46 Queues an APC in another process (thread injection) 8->46 18 rundll32.exe 8->18         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 8->22         started        24 rundll32.exe 8->24         started        48 System process connects to network (likely due to code injection or exploit) 11->48 50 Creates files in the system32 config directory 13->50 32 204.79.197.203, 443, 49706, 49715 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->32 signatures6 process7 process8 26 explorer.exe 18->26 injected 28 rundll32.exe 20->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882/
Threat name:
Win64.Trojan.Injexa
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 21:41:00 UTC
AV detection:
31 of 45 (68.89%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
0592a33cc1d10ff6498f3f4390794960799f6fbf8868036a65f3d285163967dd
Dridex
110c56dfcb0434891c760de2555c155ca3a0e437bcb1d7c5e1b7ed48af5b4c2d
Dridex
2aad90739ee93eaf5621c70a9cbc6af99949265b73405ed61ad393a8b1b1ff2b
Dridex
2f2cc296a9e826e62812ceecd5e94afb1c8556269d05ff153983325906e58e79
Dridex
5cde6060728528a12aa340e3ae116796ec176edbcf0e2201d0f55c1c0b7e0a9d
Dridex
b26ae66077f01710ea3a0b3ff937586c8f538c6905a906cd2a86c53c4e97685a
Dridex
c94f7789215299282abe47ae342505234d4e8c46e1ab825f79ac1223078e6e1c
Dridex
e5061cb3199664ca06d68725b5e469996bd81a2c3066b9238e4c9285f4efc0ac
Dridex
e5b2e61781be26841034602297e2b8923e4ff8db9dbe492c7e331b64cd7db6a4
Dridex
feabfbc5f68e0eba1d20b0b30886f5cf3013acae38d1292c5fd503636405f085
Dridex
+ 73 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210930-nc6cdshecq/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Payload
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882
MD5 hash:
1fb0895c663550136834c57d9ec7a69e
SHA1 hash:
77b3f79fbc2b8aa138b8514b840cfa3784ea2218
Link:
https://www.unpac.me/results/ca6b7322-5d52-4940-a54b-eb4b03dcb963/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/79cf406b9f5a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/79cf406b9f5ac1de73d8007b1067c17a3d5278d66d3e6661c3d063855445a882

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193499/

Comments