MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41
SHA3-384 hash: 2b14b4c5d315c1b91241d23609df75fd7e63a2c8a7e5b7bdaf9b3cdc7c9bb805ebb409ed0dc05e6a9e90bd63b926dcfa
SHA1 hash: f72d2ad6c232ae4772f22e32ea40e1bf5d2abf4b
MD5 hash: 1e4c7c247cceb3a4b9c588c638bc878b
humanhash: blossom-william-thirteen-chicken
File name:abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41
Download: download sample
Signature Dridex
Create hunting rule
File size:1'458'176 bytes
First seen:2021-11-26 09:26:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a2e61e1749a0183eccaadb9c4ef6ec2 (40 x Dridex)
ssdeep 12288:SZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:SZK6F7nVeRmDFJivohZFV
Threatray 1'720 similar samples on MalwareBazaar
TLSH T15B65E102FF9963E5E9502DFA95F0F2A3C9F4F6854C280229DB65545F9CA0ACEBC110ED
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41
Verdict:
No threats detected
Analysis date:
2021-11-26 09:33:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58daec2e-4ddc-47ab-bcab-35c06a737b79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.41927.11983.13514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Changing a file
DNS request
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a0a869f36138de3f3e997b/reports/7713083e-f4b2-43f5-8a69-601f531307fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdefd1e9-f4a5-4cdf-ae13-f5ffa044741e
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896828
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Contains functionality to infect the boot sector
DLL side loading technique detected
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529305 Sample: LWWC2E9mgi Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 2 other signatures 2->57 8 loaddll64.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 iexplore.exe 1 50 8->13         started        15 cmd.exe 1 8->15         started        17 3 other processes 8->17 signatures5 63 Changes memory attributes in foreign processes to executable or writable 10->63 65 Uses Atom Bombing / ProGate to inject into other processes 10->65 67 Queues an APC in another process (thread injection) 10->67 19 explorer.exe 2 67 10->19 injected 23 iexplore.exe 2 108 13->23         started        26 rundll32.exe 15->26         started        process6 dnsIp7 37 C:\Users\user\AppData\Local\...\wbengine.exe, PE32+ 19->37 dropped 39 C:\Users\user\AppData\Local\IgCrd\DUI70.dll, PE32+ 19->39 dropped 41 C:\Users\user\AppData\Local\IIH\VERSION.dll, PE32+ 19->41 dropped 43 21 other files (1 malicious) 19->43 dropped 59 Benign windows process drops PE files 19->59 61 DLL side loading technique detected 19->61 28 wbengine.exe 19->28         started        31 DmNotificationBroker.exe 19->31         started        33 DmNotificationBroker.exe 19->33         started        35 11 other processes 19->35 45 dart.l.doubleclick.net 216.58.206.38, 443, 49846, 49847 GOOGLEUS United States 23->45 47 ad-delivery.net 104.26.3.70, 443, 49848, 49849 CLOUDFLARENETUS United States 23->47 49 10 other IPs or domains 23->49 file8 signatures9 process10 signatures11 69 Contains functionality to infect the boot sector 28->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41/
Threat name:
Win64.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 14:27:50 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2e3345d45293cd602f027f8a9c0ffbe4435aca82efff9d09318e38af7b4aff0f
Dridex
402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65
Dridex
5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19
Dridex
763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda
Dridex
80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665
Dridex
8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933
Dridex
96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf
Dridex
a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407
Dridex
a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99
Dridex
b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79
Dridex
+ 1'710 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/211126-lerkxaegd2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41
MD5 hash:
1e4c7c247cceb3a4b9c588c638bc878b
SHA1 hash:
f72d2ad6c232ae4772f22e32ea40e1bf5d2abf4b
Link:
https://www.unpac.me/results/0e797222-5a75-4916-80b5-f87df6ce4e85/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/abadcd128b40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209667/

Comments