MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a59dbcc6a2bcd039e7c83b3a5ca6c5381498a71e0c6963aed0a9505160a46b95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a59dbcc6a2bcd039e7c83b3a5ca6c5381498a71e0c6963aed0a9505160a46b95
SHA3-384 hash: 22983858b38907586e5bde8b9f57aa65d8119c309268ef6db798333605ba25a3e8b9afaf0c13706c377f369bf1b7e944
SHA1 hash: 03559c6c2812493102f07210a4f7cfff92af379f
MD5 hash: 1386cf6cb8643dc47749d5b3208d6377
humanhash: quebec-cold-nitrogen-fanta
File name:a59dbcc6a2bcd039e7c83b3a5ca6c5381498a71e0c6963aed0a9505160a46b95
Download: download sample
Signature Dridex
Create hunting rule
File size:2'088'960 bytes
First seen:2021-09-24 06:05:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6668be91e2c948b183827f040944057f (1'006 x Dridex)
ssdeep 12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Threatray 991 similar samples on MalwareBazaar
TLSH T1C7A5E010EE69E1E6C6B89F3E9408352317F93D75110D618CC392608F9EFC6546E3E9AE
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190970/
Detection(s):
Win.Packed.Razy-9769561-0
Create hunting rule

Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80b43e3f-60ca-45d6-94c5-b24714590ade
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857069
Signature
Accesses ntoskrnl, likely to find offsets for exploits
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489501 Sample: 5pG7H5XLEj Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 signatures4 54 Changes memory attributes in foreign processes to executable or writable 8->54 56 Uses Atom Bombing / ProGate to inject into other processes 8->56 58 Queues an APC in another process (thread injection) 8->58 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 16 other processes 8->18 process5 signatures6 60 Changes memory attributes in foreign processes to executable or writable 11->60 62 Uses Atom Bombing / ProGate to inject into other processes 11->62 20 explorer.exe 3 100 11->20 injected 24 rundll32.exe 16->24         started        process7 file8 34 C:\Users\user\AppData\Local\...\OLEACC.dll, PE32+ 20->34 dropped 36 C:\Users\user\AppData\Local\...\appwiz.cpl, PE32+ 20->36 dropped 38 C:\Users\user\AppData\Local\e8yx\SLC.dll, PE32+ 20->38 dropped 40 43 other files (10 malicious) 20->40 dropped 50 Benign windows process drops PE files 20->50 52 Accesses ntoskrnl, likely to find offsets for exploits 20->52 26 OptionalFeatures.exe 20->26         started        28 OptionalFeatures.exe 20->28         started        30 dpapimig.exe 20->30         started        32 2 other processes 20->32 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a59dbcc6a2bcd039e7c83b3a5ca6c5381498a71e0c6963aed0a9505160a46b95/
Threat name:
Win64.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 04:49:00 UTC
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
169a95a8e428aed820b3cecb3edfdc797467eee633ef4dbd3bb1b9c3e70408c3
Dridex
55216d58eeaf74d484054cccb09bf7563307a5f8af84f7bb96fb35f82df751c9
Dridex
7545a4c9a7430c16fc2ed00cbe43a7533ac0782b25537513a9fa47a4b99b6f5b
Dridex
9623aebce4b63a5f65889ae5aed4aa49fff128b45ad0210507c4b0dbbf06073e
Dridex
96e7dbc31aa22528aada6691f684b886c4f8b2ad08357aa32939f264535a3807
Dridex
ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe
Dridex
af3dbdf4f22244919fd723a271ff368238e61264bd24b5f81211f95e39923de3
Dridex
d13344ee62cf128968ec0600bdabb258a6350f49c0a2121975c82a2090b8415a
Dridex
d2ae7be48837bc1bb80dfca99f085cb41e84b9b097bf2e655f206c5c22596d41
Dridex
fbd44d276f51a9ff283439793ee731c9c71053c2b0057ca50b100ee54b9006a1
Dridex
+ 981 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210924-gtrr1agad7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
a59dbcc6a2bcd039e7c83b3a5ca6c5381498a71e0c6963aed0a9505160a46b95
MD5 hash:
1386cf6cb8643dc47749d5b3208d6377
SHA1 hash:
03559c6c2812493102f07210a4f7cfff92af379f
Link:
https://www.unpac.me/results/acdf50b7-5872-43e0-9159-444a88d5239f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a59dbcc6a2bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/a59dbcc6a2bcd039e7c83b3a5ca6c5381498a71e0c6963aed0a9505160a46b95

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190970/

Comments