MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248
SHA3-384 hash: 24e469b956c5d465b0e46be26a00d30ca9f3b1e11e49ac9d6ad0009f65aa7fe7dc05f3deae63b276ce7802cd97111b3b
SHA1 hash: 9dd5b0604a06b696d8a797188c46e39c1883ab73
MD5 hash: 3dac09bac7c22bd4e97528dcec777a67
humanhash: uniform-kilo-seventeen-winter
File name:d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248
Download: download sample
Signature Dridex
Create hunting rule
File size:1'368'064 bytes
First seen:2021-11-26 09:27:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a2e61e1749a0183eccaadb9c4ef6ec2 (40 x Dridex)
ssdeep 12288:0ZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:0ZK6F7nVeRmDFJivohZFV
Threatray 1'714 similar samples on MalwareBazaar
TLSH T1B455E102FF9963E6E9502DF695F0F2A3C9F4F6854C280229DB65545F9CA0ACEBC110ED
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248
Verdict:
No threats detected
Analysis date:
2021-11-26 09:40:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d24ed7e5-eb00-4cf7-8a1b-3af05ef68788

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.41927.11983.13514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Changing a file
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Forced shutdown of a browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a0a8abf36138de3f3e9a12/reports/7763dd94-a1bd-473d-98ba-268b36889cb9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7e2c199-240d-4d57-9263-c10ac9fba91d
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/896717
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: System File Execution Location Anomaly
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529195 Sample: vQyN0LQPOU Startdate: 26/11/2021 Architecture: WINDOWS Score: 96 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 8 loaddll64.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 iexplore.exe 1 69 8->13         started        16 cmd.exe 1 8->16         started        18 3 other processes 8->18 dnsIp5 63 Changes memory attributes in foreign processes to executable or writable 10->63 65 Uses Atom Bombing / ProGate to inject into other processes 10->65 67 Queues an APC in another process (thread injection) 10->67 20 explorer.exe 2 57 10->20 injected 51 192.168.2.1 unknown unknown 13->51 24 iexplore.exe 2 113 13->24         started        27 rundll32.exe 16->27         started        signatures6 process7 dnsIp8 37 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\Taskmgr.exe, PE32+ 20->39 dropped 41 C:\Users\user\AppData\Local\...\OLEACC.dll, PE32+ 20->41 dropped 43 14 other files (2 malicious) 20->43 dropped 61 Benign windows process drops PE files 20->61 29 BackgroundTransferHost.exe 20->29         started        31 mspaint.exe 20->31         started        33 mspaint.exe 20->33         started        35 10 other processes 20->35 45 dart.l.doubleclick.net 142.250.180.70, 443, 49831, 49832 GOOGLEUS United States 24->45 47 ad-delivery.net 104.26.2.70, 443, 49833, 49834 CLOUDFLARENETUS United States 24->47 49 10 other IPs or domains 24->49 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 15:54:55 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
097b1d3b8d85d2cffcf337f3f574c0830f91e7a9104907828fb5014ac3904c22
Dridex
2a9eee2d4a689729f8aa6d173eb41948a79595c5b95b181908c38aba0271e7ff
Dridex
5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19
Dridex
763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda
Dridex
80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665
Dridex
899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb
Dridex
8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933
Dridex
96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395
Dridex
a35a441cebe6101f1b6c2bccc4ef43fb86e45374628763843f4992bcee41d58e
Dridex
b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79
Dridex
+ 1'704 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/211126-lfc4xaege4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248
MD5 hash:
3dac09bac7c22bd4e97528dcec777a67
SHA1 hash:
9dd5b0604a06b696d8a797188c46e39c1883ab73
Link:
https://www.unpac.me/results/d3d1ecd1-ca99-4e58-81b0-d9c63b592ed8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d53f4a066d6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d53f4a066d6a3d7b6f55ede5e054b04747a662d50c5765abbd3a48fb638a6248

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209640/

Comments