MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51
SHA3-384 hash: 76218f76cb645b44bcf19a53c9159775befb5f0495ef4e8b2a9e452d2f7427ff4a74aed266da4df55f8c28312cfbbc32
SHA1 hash: bd63f3fe97778d51a4219b80e5dd32941e14f72e
MD5 hash: 00205da444744d96c94a2605300ba85c
humanhash: lima-helium-nuts-foxtrot
File name:db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51
Download: download sample
Signature Dridex
Create hunting rule
File size:1'933'312 bytes
First seen:2021-09-13 07:55:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6668be91e2c948b183827f040944057f (1'006 x Dridex)
ssdeep 12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1LNG6fO:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnbVO
Threatray 444 similar samples on MalwareBazaar
TLSH T1EC95E010FE69EDE6C6B99F3E9408352317B93D75030DA18CC391604F5EF82546E3E9AA
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51
Verdict:
No threats detected
Analysis date:
2021-09-13 08:20:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e224f6ba-33b1-4b6b-a734-cb7b185b74ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187392/
Detection(s):
Win.Packed.Razy-9769561-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Launching the process to change the firewall settings
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6174ff309a5a1e91c5d1faab/reports/f010ee3a-7d44-47c1-a78a-77a864747194/overview
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f3765e1-8c76-480d-b9ba-e2d7845c78c4
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849570
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Contains functionality to prevent local Windows debugging
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Regsvr32 Command Line Without DLL
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482002 Sample: 4LKdBPJIx7 Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 4 other signatures 2->59 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 regsvr32.exe 8->12         started        15 iexplore.exe 2 82 8->15         started        17 cmd.exe 1 8->17         started        19 8 other processes 8->19 signatures5 63 Changes memory attributes in foreign processes to executable or writable 12->63 65 Uses Atom Bombing / ProGate to inject into other processes 12->65 67 Queues an APC in another process (thread injection) 12->67 21 explorer.exe 28 56 12->21 injected 25 iexplore.exe 7 121 15->25         started        28 rundll32.exe 17->28         started        process6 dnsIp7 39 C:\Users\user\AppData\Local\...\mfpmp.exe, PE32+ 21->39 dropped 41 C:\Users\user\AppData\Local\...\dwmapi.dll, PE32+ 21->41 dropped 43 C:\Users\user\AppData\Local\...\SYSDM.CPL, PE32+ 21->43 dropped 45 9 other files (1 malicious) 21->45 dropped 61 Benign windows process drops PE files 21->61 30 mfpmp.exe 21->30         started        33 PresentationHost.exe 21->33         started        35 PresentationHost.exe 21->35         started        37 4 other processes 21->37 47 dart.l.doubleclick.net 172.217.19.102, 443, 49788, 49789 GOOGLEUS United States 25->47 49 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49818, 49819 FASTLYUS United States 25->49 51 12 other IPs or domains 25->51 file8 signatures9 process10 signatures11 69 Contains functionality to prevent local Windows debugging 30->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51/
Threat name:
Win64.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 19:21:00 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
31e1cd942be9a47bcd66c35f7ebc3f1155bd264545a7783f5a7937783122a613
Dridex
365f819cd7af15d73d01d9dae8dcdf28a9d954bdbbdfe14fe4971cd82d7ab5e7
Dridex
5bdeebf38319abd9ad7c576727b21fd6a43a0e85d918b272bcf23be8681d943f
Dridex
709918af85f60d12f08253cfeafe86587f3599aa7eb9ba4557f6727a2becd74d
Dridex
968b703ced1498eb3337d525414ba971022fa471761bfe9f4ae7232c9b213c18
Dridex
994af9a2c1fe96e94a95f0bc85bb6a6fcac476d812a66ed4fd2f9055b34c5f43
Dridex
9d6548aede41b68fc486586b90b6a050b7f960c22b553d80f54bf7bcc6ab6c11
Dridex
cf13a4341ae1c3973d52f7ded069c63420437a4a93b2f616fbda675404cef8ca
Dridex
e226eec1bdd34ddbf224a9d3d4566b2f8d31a910512dc96974ebb6a564c4b9a2
Dridex
ebd49c46e2aec521b36fcaba75eba029f965bf33e8acca10a595e17bb720f47f
Dridex
+ 434 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210913-jsp8wsdcg2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51
MD5 hash:
00205da444744d96c94a2605300ba85c
SHA1 hash:
bd63f3fe97778d51a4219b80e5dd32941e14f72e
Link:
https://www.unpac.me/results/db6081dc-afd2-457a-8c80-46d5e9ee0de9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/db6336e0308c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db6336e0308cd67df8df87b6fd17c2627a9e81e032f36f8b63469d290737be51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187392/

Comments