MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7
SHA3-384 hash: 86c050e961b93c0f75d8974c54cfed23c40531d9f9e849cace2543da0edf8334d4ff53080a214d85905dc2c115625e85
SHA1 hash: e24392265b9f452f5dc9c1bd349b7e7c787c3b91
MD5 hash: 01253cb90896795344709e565d5c0148
humanhash: romeo-item-edward-batman
File name:fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7
Download: download sample
Signature Dridex
Create hunting rule
File size:2'039'808 bytes
First seen:2021-09-29 07:29:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6668be91e2c948b183827f040944057f (1'006 x Dridex)
ssdeep 24576:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnbTmE:5DW/e+WG0Vo6CtSnvm
Threatray 1'197 similar samples on MalwareBazaar
TLSH T13C956B10FFF205C3C09DF739788D3415B2B3AA65811F8A5D824F131E6CA5B912EAE95B
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7
Verdict:
No threats detected
Analysis date:
2021-09-29 07:33:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/367ae103-b365-44df-9829-962df205e964

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192915/
Detection(s):
Win.Packed.Razy-9769561-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Replacing files
Launching the process to change the firewall settings
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6ae2828-d1fb-4d42-a307-a90044fbdc04
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/860626
Signature
Accesses ntoskrnl, likely to find offsets for exploits
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Changes memory attributes in foreign processes to executable or writable
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493058 Sample: cpRYshqbWg Startdate: 29/09/2021 Architecture: WINDOWS Score: 96 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Dridex unpacked file 2->48 9 loaddll64.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 rundll32.exe 9->17         started        process5 19 rundll32.exe 11->19         started        signatures6 50 Changes memory attributes in foreign processes to executable or writable 19->50 52 Uses Atom Bombing / ProGate to inject into other processes 19->52 54 Queues an APC in another process (thread injection) 19->54 22 explorer.exe 3 55 19->22 injected process7 file8 34 C:\Users\user\AppData\Local\...\OLEACC.dll, PE32+ 22->34 dropped 36 C:\Users\user\AppData\Local\VTaLd\WINMM.dll, PE32+ 22->36 dropped 38 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 22->38 dropped 40 13 other files (2 malicious) 22->40 dropped 56 Benign windows process drops PE files 22->56 58 Accesses ntoskrnl, likely to find offsets for exploits 22->58 26 iexpress.exe 22->26         started        28 Utilman.exe 22->28         started        30 DmNotificationBroker.exe 22->30         started        32 13 other processes 22->32 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7/
Threat name:
Win64.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 09:04:46 UTC
AV detection:
33 of 45 (73.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
3ffaadafb37e294f41825fb7d515b2a56eaf3b8a8c4d2941383036c50b0b3a85
Dridex
496636ca904c6d802faa632d5857f3c330219d8d1f1edae703ca075bf35b3187
Dridex
4df9e95ebac377c636a429bd414f9b84ab65348bcd8826822805a31ea1d6e101
Dridex
507b6645ae27e145dea7b078c9c93ec52bf5638a97e7f90742705796d3083a67
Dridex
575786d55af8f36ccfe0006dc8210bd9673c0464f4702fbf59e222d6bd9943c1
Dridex
5937a2db15eab928a144f21d51eab13b1cd66098af53dd9d24e2fc70cf36df2b
Dridex
6c4ef32846873a184c52ef2b4a195462a46dccfd859dfb1ec0bece847e4c0dc9
Dridex
777422c9a7b097359cc2546acf4936f5ba6a0f81a28a0fd872499914ba3e7eb1
Dridex
8fbe42ee1c059fba6107bafcd16b4694952e3761fe0cd181692d90774df2a770
Dridex
9623aebce4b63a5f65889ae5aed4aa49fff128b45ad0210507c4b0dbbf06073e
Dridex
+ 1'187 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion payload persistence trojan
Link:
https://tria.ge/reports/210929-jbvgaaeag2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Dridex Shellcode
Dridex
Unpacked files
SH256 hash:
fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7
MD5 hash:
01253cb90896795344709e565d5c0148
SHA1 hash:
e24392265b9f452f5dc9c1bd349b7e7c787c3b91
Link:
https://www.unpac.me/results/96ff7982-a0e8-4762-b35d-9d6bc3d20665/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fbe5c3277477/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/fbe5c327747783c6787ea289392e3361cfb229f7d5099cd96d474265c2f4fed7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192915/

Comments