MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd
SHA3-384 hash: 73a1236450621a70faa4a3eea7ac4850070af6893cef2ec9d00a4f8b30977310e24fbac9c8ce4b2a3ea02a8f071babb7
SHA1 hash: 4928d3f1c8a0b39ec84686aeeb5f5de0c62212dc
MD5 hash: 15555a38f1aa91ee649e26d718d01dd7
humanhash: single-fourteen-robin-foxtrot
File name:bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd
Download: download sample
Signature Dridex
Create hunting rule
File size:1'609'728 bytes
First seen:2021-11-26 09:25:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a2e61e1749a0183eccaadb9c4ef6ec2 (40 x Dridex)
ssdeep 12288:ZZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:ZZK6F7nVeRmDFJivohZFV
Threatray 1'723 similar samples on MalwareBazaar
TLSH T16375E102FF9963E6E9502DF695F0F2A3C9F4F6854C280229DB65545F9CA0ACEBC110ED
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd
Verdict:
No threats detected
Analysis date:
2021-11-26 09:33:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/737cd56e-4df0-4f2f-bd6c-6b245e0baf17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.41927.11983.13514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Changing a file
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
DNS request
Reading critical registry keys
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Forced shutdown of a browser
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a0a83602c80febc2aa0a56/reports/7c283824-739e-4f9b-8db0-ff5b8ad64c5c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6150b298-409b-4bc0-a138-5ca64142221e
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896841
Signature
Accesses ntoskrnl, likely to find offsets for exploits
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Checks if browser processes are running
Contains functionality to compare user and computer (likely to detect sandboxes)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529334 Sample: uW2K6OpbTr Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Dridex unpacked file 2->51 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        signatures5 61 Changes memory attributes in foreign processes to executable or writable 11->61 63 Uses Atom Bombing / ProGate to inject into other processes 11->63 65 Queues an APC in another process (thread injection) 11->65 20 explorer.exe 2 58 11->20 injected 24 rundll32.exe 14->24         started        process6 file7 37 C:\Users\user\AppData\Local\zcqar9C\SPP.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 20->39 dropped 41 C:\Users\user\AppData\Local\...\ie4uinit.exe, PE32+ 20->41 dropped 43 15 other files (5 malicious) 20->43 dropped 53 Benign windows process drops PE files 20->53 55 Accesses ntoskrnl, likely to find offsets for exploits 20->55 26 ie4uinit.exe 20->26         started        29 MpCmdRun.exe 1 20->29         started        31 CameraSettingsUIHost.exe 20->31         started        33 16 other processes 20->33 signatures8 process9 signatures10 57 Checks if browser processes are running 26->57 59 Contains functionality to compare user and computer (likely to detect sandboxes) 26->59 35 conhost.exe 29->35         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 15:16:59 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
118fa6b30edc4d2bf9714aa9191ac530ed03b41230e94b4e6ddd32e0c22c56be
Dridex
16204d7e51d5ef70f0b829d5b05161a18db2f4fdb31c81862be3fc1ea2045ce5
Dridex
242ceec6f5000a48618d138fa52d20a9350a0fb36f6a202ef098d15656376c79
Dridex
34b87ca49b68d8e9f165cba7fbdd47c091619ea7f81eef67464419367a63e7a6
Dridex
4f046367de5b84f8f623d246b2493e16d3454ab632488c4c200839f6fbefcac8
Dridex
57d827993f62af3fa1fe553bdce016556e7b21039407dee00310c5c929bdc716
Dridex
7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
Dridex
7596538df46ad7db3f0fba3efa3a5b8622a5c659f2cc0e6f5b7e80ab982e4281
Dridex
80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665
Dridex
b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79
Dridex
+ 1'713 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/211126-ld769sbecr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd
MD5 hash:
15555a38f1aa91ee649e26d718d01dd7
SHA1 hash:
4928d3f1c8a0b39ec84686aeeb5f5de0c62212dc
Link:
https://www.unpac.me/results/90ada978-0f9f-45e5-ac3b-3c56e9fdab1e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bfe5653f57a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bfe5653f57a75c6a17486b23168450984a2bcccea39f6c8852a274a8eb1246dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209636/

Comments