Sample Name: | Dridex (renamed file extension from none to exe) |
Analysis ID: | 393200 |
MD5: | 6e5654da58c03df6808466f0197207ed |
SHA1: | 594f33ad9d7f85625a88c24903243ba9788fba86 |
SHA256: | e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc |
Tags: | DridexProcessHollowingRunPE |
Infos: | |
Most interesting Screenshot: |
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample |
Source: |
Avira: |
Multi AV Scanner detection for submitted file |
Source: |
Metadefender: |
Perma Link | ||
Source: |
ReversingLabs: |
Machine Learning detection for sample |
Source: |
Joe Sandbox ML: |
Antivirus or Machine Learning detection for unpacked file |
Source: |
Avira: |
||
Source: |
Avira: |
||
Source: |
Avira: |
||
Source: |
Avira: |
||
Source: |
Avira: |
||
Source: |
Avira: |
Compliance: |
---|
Uses 32bit PE files |
Source: |
Static PE information: |
Source: |
Code function: |
0_2_00401160 | |
Source: |
Code function: |
0_1_00401160 |
Networking: |
---|
Detected TCP or UDP traffic on non-standard ports |
Source: |
TCP traffic: |
||
Source: |
TCP traffic: |
||
Source: |
TCP traffic: |
||
Source: |
TCP traffic: |
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Creates a DirectInput object (often for capturing keystrokes) |
Source: |
Binary or memory string: |
System Summary: |
---|
Contains functionality to call native functions |
Source: |
Code function: |
0_2_02370018 |
Detected potential crypto function |
Source: |
Code function: |
1_2_0040AC50 | |
Source: |
Code function: |
1_2_00412888 | |
Source: |
Code function: |
1_2_0040BB48 | |
Source: |
Code function: |
1_2_0041434E | |
Source: |
Code function: |
1_2_00407B1D | |
Source: |
Code function: |
1_2_00413F88 | |
Source: |
Code function: |
1_1_0040AC50 | |
Source: |
Code function: |
1_1_00412888 | |
Source: |
Code function: |
1_1_0040BB48 | |
Source: |
Code function: |
1_1_0041434E | |
Source: |
Code function: |
1_1_00407B1D | |
Source: |
Code function: |
1_1_00413F88 |
Sample file is different than original file name gathered from version info |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Uses 32bit PE files |
Source: |
Static PE information: |
Source: |
Classification label: |
Source: |
Code function: |
0_2_02370018 |
Source: |
Key opened: |
Jump to behavior |
Source: |
Metadefender: |
||
Source: |
ReversingLabs: |
Source: |
File read: |
Jump to behavior |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior |
Source: |
Static PE information: |
Data Obfuscation: |
---|
Detected unpacking (changes PE section rights) |
Source: |
Unpacked PE file: |
PE file contains an invalid checksum |
Source: |
Static PE information: |
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
0_2_004025EE | |
Source: |
Code function: |
0_2_023740EE | |
Source: |
Code function: |
0_1_004025EE | |
Source: |
Code function: |
1_2_0041007A | |
Source: |
Code function: |
1_2_004100A2 | |
Source: |
Code function: |
1_2_0041017E | |
Source: |
Code function: |
1_2_004105E5 | |
Source: |
Code function: |
1_2_004105BD | |
Source: |
Code function: |
1_2_004101BE | |
Source: |
Code function: |
1_2_00414EE2 | |
Source: |
Code function: |
1_1_0041007A | |
Source: |
Code function: |
1_1_004100A2 | |
Source: |
Code function: |
1_1_0041017E | |
Source: |
Code function: |
1_1_004105E5 | |
Source: |
Code function: |
1_1_004105BD | |
Source: |
Code function: |
1_1_004101BE | |
Source: |
Code function: |
1_1_00414EE2 |
Hooking and other Techniques for Hiding and Protection: |
---|
Contains functionality to check if a window is minimized (may be used to check if an application is visible) |
Source: |
Code function: |
0_2_00401C40 |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
Contain functionality to detect virtual machines |
Source: |
Code function: |
0_2_02370018 |
Tries to detect sandboxes / dynamic malware analysis system (file name check) |
Source: |
File opened: |
Jump to behavior |
Contains long sleeps (>= 3 min) |
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior |
May sleep (evasive loops) to hinder dynamic analysis |
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior | ||
Source: |
Thread sleep time: |
Jump to behavior |
Program does not show much activity (idle) |
Source: |
Thread injection, dropped files, key value created, disk infection and DNS query: |
Sample execution stops while process was sleeping (likely an evasion) |
Source: |
Last function: |
Source: |
Code function: |
0_2_00401160 | |
Source: |
Code function: |
0_1_00401160 |
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior | ||
Source: |
Thread delayed: |
Jump to behavior |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Source: |
Process information queried: |
Jump to behavior |
Anti Debugging: |
---|
Contains functionality to read the PEB |
Source: |
Code function: |
0_2_02373BD4 | |
Source: |
Code function: |
1_2_0040E874 | |
Source: |
Code function: |
1_1_0040E874 |
Program does not show much activity (idle) |
Source: |
Thread injection, dropped files, key value created, disk infection and DNS query: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to inject code into remote processes |
Source: |
Code function: |
0_2_02370018 |
Injects a PE file into a foreign processes |
Source: |
Memory written: |
Jump to behavior |
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection) |
Source: |
Code function: |
0_2_02370018 | |
Source: |
Code function: |
0_2_02370018 |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query locales information (e.g. system language) |
Source: |
Code function: |
0_2_00401160 | |
Source: |
Code function: |
0_1_00401160 |
Queries the installation date of Windows |
Source: |
Key value queried: |
Jump to behavior |
Source: |
Code function: |
0_2_00401160 |
Source: |
Key value queried: |
Jump to behavior |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
103.252.100.44 | unknown | Indonesia | 59147 | IDNIC-DRUPADI-AS-IDPTDrupadiPrimaID | false | |
89.108.71.148 | unknown | Russian Federation | 43146 | AGAVA3RU | false | |
221.132.35.56 | unknown | Viet Nam | 45899 | VNPT-AS-VNVNPTCorpVN | false | |
94.73.155.12 | unknown | Turkey | 34619 | CIZGITR | false |