MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d
SHA3-384 hash: b5c062d457a39922e3085027c23bd314d32ed88f81d04cbe927638bf424c56b652fb6a9e32a4595d7652a92123e1a613
SHA1 hash: eb31c27903cc0d4bb2a9a4a6760bd0e60416a276
MD5 hash: 0d2d32a9d4d31d4448df2902ef9590e2
humanhash: quebec-edward-delta-july
File name:a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d
Download: download sample
Signature Dridex
Create hunting rule
File size:1'241'088 bytes
First seen:2021-11-26 09:30:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72906e44c69f979a7a4dfcb492a7b5bb (28 x Dridex)
ssdeep 12288:fGVNJAvuPFUl/faxmVlBLXKCgFfEK7JRLeHlX//ve7:e3JAvRl/fKQKCgFfx4P/va
Threatray 1'694 similar samples on MalwareBazaar
TLSH T13045D162E36871E4C5739A31D03F551F0AB66D2268598205FB723A740D3FAC9FFE8129
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d
Verdict:
No threats detected
Analysis date:
2021-11-26 11:15:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b7c534d-c139-4490-ae0f-a596dc93e910

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Malware.Mikey-9910251-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Changing a file
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
DNS request
Reading critical registry keys
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a0a95eb71ceed415315d1b/reports/e1bb63c0-c03a-4200-ab8a-fe33a5a9c3b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3139ed92-0ab9-4d94-aeee-b8c2900ce625
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896644
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Contains functionality to prevent local Windows debugging
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529123 Sample: AsXeW7Pz8A Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 8 loaddll64.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 iexplore.exe 2 83 8->13         started        15 cmd.exe 1 8->15         started        17 3 other processes 8->17 signatures5 61 Changes memory attributes in foreign processes to executable or writable 10->61 63 Uses Atom Bombing / ProGate to inject into other processes 10->63 65 Queues an APC in another process (thread injection) 10->65 19 explorer.exe 2 61 10->19 injected 23 iexplore.exe 7 143 13->23         started        26 rundll32.exe 15->26         started        process6 dnsIp7 37 C:\Users\user\AppData\Local\oiy8m\mfpmp.exe, PE32+ 19->37 dropped 39 C:\Users\user\AppData\Local\...\XmlLite.dll, PE32+ 19->39 dropped 41 C:\Users\user\AppData\Local\...\ACTIVEDS.dll, PE32+ 19->41 dropped 43 17 other files (2 malicious) 19->43 dropped 59 Benign windows process drops PE files 19->59 28 mfpmp.exe 19->28         started        31 omadmclient.exe 19->31         started        33 omadmclient.exe 19->33         started        35 15 other processes 19->35 45 dart.l.doubleclick.net 216.58.215.230, 443, 49819, 49820 GOOGLEUS United States 23->45 47 ad-delivery.net 104.26.3.70, 443, 49817, 49818 CLOUDFLARENETUS United States 23->47 49 10 other IPs or domains 23->49 file8 signatures9 process10 signatures11 67 Contains functionality to prevent local Windows debugging 28->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d/
Threat name:
Win64.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 23:18:06 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2333c2d09ff9f77f6059834fd49bc59badd21e667947573673d57899a8ffde4a
Dridex
4ded87a18402057f61dfc8ec981d39b0f82253ccc6ddbaceba188e7357153798
Dridex
55216d58eeaf74d484054cccb09bf7563307a5f8af84f7bb96fb35f82df751c9
Dridex
560a905bdddb515f9df6b69d30838a8c2751e35cfa4cf4a1876bc8a5a9e6f1ad
Dridex
57d827993f62af3fa1fe553bdce016556e7b21039407dee00310c5c929bdc716
Dridex
61ba9e5c08d14736a6bf45d0e5fe32bb70b0d906625d338e205bb947198f02b7
Dridex
7671172c43de52366a663c4a57e9360ec46ce153d9e3de88b06dbc47f36b9030
Dridex
c8b515be222c5ed644a449557d40cadbef722d8e53d0d248856076381400654a
Dridex
e28e980cbee4e2410da4cf95542fb62743d30ae2ab6deed43561b61ffbc95c64
Dridex
e33bce4e9033c4dd6d96a9758935f8f339412f3b8a1738329386303c02a04259
Dridex
+ 1'684 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/211126-lg4cgsegh3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d
MD5 hash:
0d2d32a9d4d31d4448df2902ef9590e2
SHA1 hash:
eb31c27903cc0d4bb2a9a4a6760bd0e60416a276
Link:
https://www.unpac.me/results/395f05e3-cb36-4120-8bc8-36df542f14bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a5282ab1f03b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209698/

Comments