Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Dridex

Overview

General Information

Sample Name:Dridex (renamed file extension from none to exe)
Analysis ID:393200
MD5:6e5654da58c03df6808466f0197207ed
SHA1:594f33ad9d7f85625a88c24903243ba9788fba86
SHA256:e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc
Tags:DridexProcessHollowingRunPE
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Program does not show much activity (idle)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Dridex.exe (PID: 6616 cmdline: 'C:\Users\user\Desktop\Dridex.exe' MD5: 6E5654DA58C03DF6808466F0197207ED)
    • Dridex.exe (PID: 6660 cmdline: C:\Users\user\Desktop\Dridex.exe MD5: 6E5654DA58C03DF6808466F0197207ED)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Dridex.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: Dridex.exeMetadefender: Detection: 86%Perma Link
Source: Dridex.exeReversingLabs: Detection: 100%
Machine Learning detection for sampleShow sources
Source: Dridex.exeJoe Sandbox ML: detected
Source: 0.2.Dridex.exe.28a0000.7.unpackAvira: Label: TR/Taranis.403
Source: 0.0.Dridex.exe.400000.0.unpackAvira: Label: TR/Taranis.403
Source: 0.2.Dridex.exe.2470000.6.unpackAvira: Label: TR/Taranis.403
Source: 1.0.Dridex.exe.400000.0.unpackAvira: Label: TR/Taranis.403
Source: 0.2.Dridex.exe.400000.1.unpackAvira: Label: TR/Taranis.403
Source: 0.1.Dridex.exe.400000.0.unpackAvira: Label: TR/Taranis.403
Source: Dridex.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_1_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess,
Source: global trafficTCP traffic: 192.168.2.6:49710 -> 94.73.155.12:2448
Source: global trafficTCP traffic: 192.168.2.6:49722 -> 103.252.100.44:4493
Source: global trafficTCP traffic: 192.168.2.6:49723 -> 89.108.71.148:8843
Source: global trafficTCP traffic: 192.168.2.6:49725 -> 221.132.35.56:8843
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknownTCP traffic detected without corresponding DNS query: 221.132.35.56
Source: Dridex.exe, 00000000.00000002.333593653.000000000066A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_02370018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_0040AC50
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_00412888
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_0040BB48
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_0041434E
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_00407B1D
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_00413F88
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_0040AC50
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_00412888
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_0040BB48
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_0041434E
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_00407B1D
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_00413F88
Source: Dridex.exe, 00000000.00000002.333632084.0000000000BB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Dridex.exe
Source: Dridex.exe, 00000000.00000002.333620542.0000000000B80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Dridex.exe
Source: Dridex.exe, 00000000.00000002.333741586.0000000002470000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemation.exe vs Dridex.exe
Source: Dridex.exe, 00000001.00000002.594794789.0000000003F50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Dridex.exe
Source: Dridex.exeBinary or memory string: OriginalFilenamemation.exe vs Dridex.exe
Source: Dridex.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal84.evad.winEXE@3/0@0/4
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_02370018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,
Source: C:\Users\user\Desktop\Dridex.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: Dridex.exeMetadefender: Detection: 86%
Source: Dridex.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Dridex.exeFile read: C:\Users\user\Desktop\Dridex.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Dridex.exe 'C:\Users\user\Desktop\Dridex.exe'
Source: C:\Users\user\Desktop\Dridex.exeProcess created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe
Source: C:\Users\user\Desktop\Dridex.exeProcess created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe
Source: Dridex.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Dridex.exeUnpacked PE file: 1.2.Dridex.exe.400000.0.unpack .text:R;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.data1:W;.reloc:R;
Source: Dridex.exeStatic PE information: real checksum: 0x22e32 should be: 0x2b73e
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_004025C0 push eax; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_023740C0 push eax; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_1_004025C0 push eax; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_00410075 push 4D8A84E3h; retf
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_0041009D push 4D8A84E3h; retf
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_0041017B push cs; iretd
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_004105D4 pushfd ; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_004105AF pushfd ; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_004101B6 push cs; retf
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_00414EDC push edi; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_00410075 push 4D8A84E3h; retf
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_0041009D push 4D8A84E3h; retf
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_0041017B push cs; iretd
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_004105D4 pushfd ; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_004105AF pushfd ; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_004101B6 push cs; retf
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_00414EDC push edi; ret
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_00401C40 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Dridex.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contain functionality to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\Dridex.exeCode function: VBoxService.exe VBoxService.exe VBoxService.exe VBoxService.exe vmtoolsd.exe vmtoolsd.exe
Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
Source: C:\Users\user\Desktop\Dridex.exeFile opened: C:\myapp.exe
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 325000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 293000
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -318000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -167000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -148000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -325000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -155000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -149000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -293000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -169000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -123000s >= -30000s
Source: C:\Users\user\Desktop\Dridex.exe TID: 6664Thread sleep time: -129000s >= -30000s
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Dridex.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_1_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess,
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 159000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 167000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 148000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 325000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 155000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 149000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 293000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 169000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 123000
Source: C:\Users\user\Desktop\Dridex.exeThread delayed: delay time: 129000
Source: Dridex.exeBinary or memory string: VBoxService.exe
Source: Dridex.exeBinary or memory string: vmtoolsd.exe
Source: C:\Users\user\Desktop\Dridex.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_02373BD4 push dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_2_0040E874 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Dridex.exeCode function: 1_1_0040E874 mov eax, dword ptr fs:[00000030h]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_02370018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc,
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Dridex.exeMemory written: C:\Users\user\Desktop\Dridex.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\Dridex.exeCode function: LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, explorer.exe.\
Source: C:\Users\user\Desktop\Dridex.exeCode function: LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, explorer.exe.\
Source: C:\Users\user\Desktop\Dridex.exeProcess created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmpBinary or memory string: &Program Manager
Source: Dridex.exe, 00000001.00000002.593513151.0000000002230000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Dridex.exeCode function: MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,
Source: C:\Users\user\Desktop\Dridex.exeCode function: MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess,
Source: C:\Users\user\Desktop\Dridex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Users\user\Desktop\Dridex.exeCode function: 0_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess,
Source: C:\Users\user\Desktop\Dridex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection222Virtualization/Sandbox Evasion221Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection222LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion221SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery23Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Dridex.exe86%MetadefenderBrowse
Dridex.exe100%ReversingLabsWin32.Backdoor.Drixed
Dridex.exe100%AviraTR/Taranis.403
Dridex.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.Dridex.exe.28a0000.7.unpack100%AviraTR/Taranis.403Download File
0.0.Dridex.exe.400000.0.unpack100%AviraTR/Taranis.403Download File
1.2.Dridex.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.Dridex.exe.2470000.6.unpack100%AviraTR/Taranis.403Download File
1.0.Dridex.exe.400000.0.unpack100%AviraTR/Taranis.403Download File
0.2.Dridex.exe.400000.1.unpack100%AviraTR/Taranis.403Download File
0.1.Dridex.exe.400000.0.unpack100%AviraTR/Taranis.403Download File
0.2.Dridex.exe.2380000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
1.1.Dridex.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
103.252.100.44
unknownIndonesia
59147IDNIC-DRUPADI-AS-IDPTDrupadiPrimaIDfalse
89.108.71.148
unknownRussian Federation
43146AGAVA3RUfalse
221.132.35.56
unknownViet Nam
45899VNPT-AS-VNVNPTCorpVNfalse
94.73.155.12
unknownTurkey
34619CIZGITRfalse

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:393200
Start date:20.04.2021
Start time:09:53:06
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 36s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Dridex (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.evad.winEXE@3/0@0/4
EGA Information:Failed
HDC Information:
  • Successful, ratio: 51.4% (good quality ratio 48.9%)
  • Quality average: 76.7%
  • Quality standard deviation: 29%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/393200/sample/Dridex.exe

Simulations

Behavior and APIs

TimeTypeDescription
09:54:22API Interceptor11x Sleep call for process: Dridex.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
VNPT-AS-VNVNPTCorpVNPO45937008ADENGY.exeGet hashmaliciousBrowse
  • 123.31.43.181
8QGglvUeYO.exeGet hashmaliciousBrowse
  • 103.42.58.103
networkmanagerGet hashmaliciousBrowse
  • 14.188.135.58
WUHU95Apq3Get hashmaliciousBrowse
  • 113.183.33.163
G0ESHzsrvg.exeGet hashmaliciousBrowse
  • 103.255.237.180
6OUYcd3GIs.exeGet hashmaliciousBrowse
  • 103.255.237.180
http://singaedental.vn/wp-content/lQ/Get hashmaliciousBrowse
  • 202.92.7.113
http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/Get hashmaliciousBrowse
  • 202.92.7.113
Adjunto_2021.docGet hashmaliciousBrowse
  • 202.92.7.113
Dok 0501 012021 Q_93291.docGet hashmaliciousBrowse
  • 202.92.7.113
11_extracted.exeGet hashmaliciousBrowse
  • 103.207.39.131
https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
  • 103.255.237.61
SecuriteInfo.com.ArtemisC5924E341E9E.exeGet hashmaliciousBrowse
  • 103.255.237.239
INFO 2020 DWP_947297.docGet hashmaliciousBrowse
  • 14.177.232.31
MESSAGIO 83-46447904.docGet hashmaliciousBrowse
  • 123.31.24.142
Order List and Quantities.pptGet hashmaliciousBrowse
  • 103.207.39.131
Purchase list.pptGet hashmaliciousBrowse
  • 103.207.39.131
2020141248757837844.pptGet hashmaliciousBrowse
  • 103.207.39.131
PurchaseOrder#Q7677.pptGet hashmaliciousBrowse
  • 103.207.39.131
Remittance Scan00201207.pptGet hashmaliciousBrowse
  • 103.207.39.131
AGAVA3RUZh2Gv0wJtk.exeGet hashmaliciousBrowse
  • 80.78.246.22
c3XD756MSN.exeGet hashmaliciousBrowse
  • 89.108.88.140
O6RQ377jNN.exeGet hashmaliciousBrowse
  • 89.108.88.140
SecuriteInfo.com.Trojan.Siggen12.58144.411.exeGet hashmaliciousBrowse
  • 89.108.88.140
7Q1bVVkIIL.exeGet hashmaliciousBrowse
  • 89.108.88.140
R2o3eEx5Zj.exeGet hashmaliciousBrowse
  • 89.108.88.140
5MZKivSsq7.exeGet hashmaliciousBrowse
  • 80.78.245.80
z9mXoeDPej.exeGet hashmaliciousBrowse
  • 89.108.88.140
SecuriteInfo.com.W32.AIDetect.malware1.20229.exeGet hashmaliciousBrowse
  • 89.108.88.140
SecuriteInfo.com.W32.AIDetect.malware1.15067.exeGet hashmaliciousBrowse
  • 89.108.88.140
SecuriteInfo.com.W32.AIDetect.malware1.13347.exeGet hashmaliciousBrowse
  • 89.108.88.140
SecuriteInfo.com.W32.AIDetect.malware1.8119.exeGet hashmaliciousBrowse
  • 89.108.88.140
seed.exeGet hashmaliciousBrowse
  • 89.108.88.140
SecuriteInfo.com.Heur.17834.xlsGet hashmaliciousBrowse
  • 89.108.122.188
SecuriteInfo.com.Heur.9646.xlsGet hashmaliciousBrowse
  • 89.108.122.188
SecuriteInfo.com.Heur.17834.xlsGet hashmaliciousBrowse
  • 89.108.122.188
SecuriteInfo.com.Heur.9646.xlsGet hashmaliciousBrowse
  • 89.108.122.188
Claim-2016732059-02092021.xlsGet hashmaliciousBrowse
  • 89.108.122.188
Claim-2016732059-02092021.xlsGet hashmaliciousBrowse
  • 89.108.122.188
Claim-1610138277-02092021.xlsGet hashmaliciousBrowse
  • 89.108.122.188

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.640683635227719
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Dridex.exe
File size:176128
MD5:6e5654da58c03df6808466f0197207ed
SHA1:594f33ad9d7f85625a88c24903243ba9788fba86
SHA256:e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc
SHA512:6542a42528f11085376ba893615cd7b68b37e1c78427c678db658e6174ca8d0ac893b071aa55e8d3924a6a2235657322eadf025f10e26c4a0c9858e3c12eb264
SSDEEP:3072:qZkKstjomW1XBJqhhPQa77l79KQXF6yvf4FkbmB7VU2fMa+:zvUmgqkm9KQXF6yvwCbu7gT
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............B...B...B#..B...B)..Bj..B...B...Bj..B...B...B...BW..B9..B...B...B:..B...BW..Bi..BRich...B................PE..L...b.QV...

File Icon

Icon Hash:c08c6665996135a7

Static PE Info

General

Entrypoint:0x402410
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x5651A962 [Sun Nov 22 11:39:14 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:3c0df6d8c78f9ce11bee326616d075a2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00403770h
push 00402612h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00403260h]
pop ecx
or dword ptr [00407128h], FFFFFFFFh
or dword ptr [0040712Ch], FFFFFFFFh
call dword ptr [00403264h]
mov ecx, dword ptr [0040711Ch]
mov dword ptr [eax], ecx
call dword ptr [00403268h]
mov ecx, dword ptr [00407118h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040326Ch]
mov eax, dword ptr [eax]
mov dword ptr [00407124h], eax
call 00007FF08CC89637h
cmp dword ptr [00406FD0h], ebx
jne 00007FF08CC894AEh
push 0040260Eh
call dword ptr [00403270h]
pop ecx
call 00007FF08CC89609h
push 00405028h
push 00405024h
call 00007FF08CC895F4h
mov eax, dword ptr [00407114h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00407110h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00403278h]
push 00405020h
push 00405000h
call 00007FF08CC895C1h

Rich Headers

Programming Language:
  • [C++] VS2002 (.NET) build 9466
  • [EXP] VC++ 6.0 SP5 build 8804
  • [ASM] VS2002 (.NET) build 9466

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x10000x10.text
IMAGE_DIRECTORY_ENTRY_IMPORT0x39800xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x23e9c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0xa0000x22.rsrc
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x30000x2f0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x18500x2000False0.381591796875data4.8857712628IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x30000x11480x2000False0.22705078125data3.18379463097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x50000x21300x2000False0.441162109375data4.29630200062IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x80000x23e9c0x24000False0.962103949653data7.93888068706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLLImport
MFC42.DLL
MSVCRT.dll_controlfp, _onexit, __dllonexit, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, _setmbcp, __CxxFrameHandler, strtol, _exit, _XcptFilter, exit
KERNEL32.dllFindNextFileW, GetTimeZoneInformation, ExitProcess, GetModuleFileNameA, FlushFileBuffers, SetStdHandle, HeapDestroy, FindFirstFileA, HeapReAlloc, GetDateFormatA, GetEnvironmentStrings, GetACP, GetCommandLineA, GetModuleHandleA, GetStartupInfoA, GetLocaleInfoW, CreateFileW, MapViewOfFile, GetOEMCP, CreateFileA, GetModuleFileNameW
USER32.dllIsIconic, GetCaretBlinkTime, ShowWindow, UpdateWindow, GetCursorPos, PeekMessageW, RegisterClipboardFormatW, GetSystemMetrics, HideCaret, GetSystemMenu, AppendMenuA, SendMessageA, LoadIconA, MessageBoxIndirectA, GetDesktopWindow, DrawIcon, EnableWindow, GetClientRect
GDI32.dllGetCharABCWidthsFloatA, CreateCompatibleDC
ADVAPI32.dllRegDeleteKeyW
OLEAUT32.dllVariantClear

Network Behavior

Snort IDS Alerts

TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
04/20/21-09:53:56.512323ICMP384ICMP PING192.168.2.6205.185.216.42
04/20/21-09:53:56.548392ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
04/20/21-09:53:56.548789ICMP384ICMP PING192.168.2.6205.185.216.42
04/20/21-09:53:56.585493ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
04/20/21-09:53:56.585894ICMP384ICMP PING192.168.2.6205.185.216.42
04/20/21-09:53:56.632458ICMP449ICMP Time-To-Live Exceeded in Transit81.95.2.138192.168.2.6
04/20/21-09:53:56.634351ICMP384ICMP PING192.168.2.6205.185.216.42
04/20/21-09:53:56.684778ICMP449ICMP Time-To-Live Exceeded in Transit151.139.80.6192.168.2.6
04/20/21-09:53:56.686368ICMP384ICMP PING192.168.2.6205.185.216.42
04/20/21-09:53:56.736294ICMP449ICMP Time-To-Live Exceeded in Transit151.139.80.13192.168.2.6
04/20/21-09:53:56.736727ICMP384ICMP PING192.168.2.6205.185.216.42
04/20/21-09:53:56.786580ICMP408ICMP Echo Reply205.185.216.42192.168.2.6

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 20, 2021 09:54:01.980242968 CEST497102448192.168.2.694.73.155.12
Apr 20, 2021 09:54:04.986002922 CEST497102448192.168.2.694.73.155.12
Apr 20, 2021 09:54:10.986838102 CEST497102448192.168.2.694.73.155.12
Apr 20, 2021 09:54:23.121998072 CEST497224493192.168.2.6103.252.100.44
Apr 20, 2021 09:54:23.347047091 CEST449349722103.252.100.44192.168.2.6
Apr 20, 2021 09:54:23.846987009 CEST497224493192.168.2.6103.252.100.44
Apr 20, 2021 09:54:24.070667982 CEST449349722103.252.100.44192.168.2.6
Apr 20, 2021 09:54:24.581424952 CEST497224493192.168.2.6103.252.100.44
Apr 20, 2021 09:54:24.804922104 CEST449349722103.252.100.44192.168.2.6
Apr 20, 2021 09:54:24.930471897 CEST497238843192.168.2.689.108.71.148
Apr 20, 2021 09:54:25.012185097 CEST88434972389.108.71.148192.168.2.6
Apr 20, 2021 09:54:25.518956900 CEST497238843192.168.2.689.108.71.148
Apr 20, 2021 09:54:25.599697113 CEST88434972389.108.71.148192.168.2.6
Apr 20, 2021 09:54:26.112911940 CEST497238843192.168.2.689.108.71.148
Apr 20, 2021 09:54:26.193877935 CEST88434972389.108.71.148192.168.2.6
Apr 20, 2021 09:54:26.324467897 CEST497258843192.168.2.6221.132.35.56
Apr 20, 2021 09:54:29.331882954 CEST497258843192.168.2.6221.132.35.56
Apr 20, 2021 09:54:35.457282066 CEST497258843192.168.2.6221.132.35.56
Apr 20, 2021 09:54:47.732934952 CEST497332448192.168.2.694.73.155.12
Apr 20, 2021 09:54:50.739876986 CEST497332448192.168.2.694.73.155.12
Apr 20, 2021 09:54:56.755979061 CEST497332448192.168.2.694.73.155.12
Apr 20, 2021 09:55:08.876112938 CEST497474493192.168.2.6103.252.100.44
Apr 20, 2021 09:55:09.102027893 CEST449349747103.252.100.44192.168.2.6
Apr 20, 2021 09:55:09.616362095 CEST497474493192.168.2.6103.252.100.44
Apr 20, 2021 09:55:09.842179060 CEST449349747103.252.100.44192.168.2.6
Apr 20, 2021 09:55:10.350907087 CEST497474493192.168.2.6103.252.100.44
Apr 20, 2021 09:55:10.578915119 CEST449349747103.252.100.44192.168.2.6
Apr 20, 2021 09:55:10.706809998 CEST497488843192.168.2.689.108.71.148
Apr 20, 2021 09:55:10.788043022 CEST88434974889.108.71.148192.168.2.6
Apr 20, 2021 09:55:11.288642883 CEST497488843192.168.2.689.108.71.148
Apr 20, 2021 09:55:11.369493008 CEST88434974889.108.71.148192.168.2.6
Apr 20, 2021 09:55:11.882234097 CEST497488843192.168.2.689.108.71.148
Apr 20, 2021 09:55:11.965500116 CEST88434974889.108.71.148192.168.2.6
Apr 20, 2021 09:55:12.077649117 CEST497498843192.168.2.6221.132.35.56
Apr 20, 2021 09:55:15.070101976 CEST497498843192.168.2.6221.132.35.56
Apr 20, 2021 09:55:21.086074114 CEST497498843192.168.2.6221.132.35.56
Apr 20, 2021 09:55:33.201924086 CEST497542448192.168.2.694.73.155.12
Apr 20, 2021 09:55:36.228055954 CEST497542448192.168.2.694.73.155.12
Apr 20, 2021 09:55:42.230663061 CEST497542448192.168.2.694.73.155.12
Apr 20, 2021 09:55:54.352848053 CEST497564493192.168.2.6103.252.100.44
Apr 20, 2021 09:55:54.579914093 CEST449349756103.252.100.44192.168.2.6
Apr 20, 2021 09:55:55.081360102 CEST497564493192.168.2.6103.252.100.44
Apr 20, 2021 09:55:55.309356928 CEST449349756103.252.100.44192.168.2.6
Apr 20, 2021 09:55:55.815732002 CEST497564493192.168.2.6103.252.100.44
Apr 20, 2021 09:55:56.043368101 CEST449349756103.252.100.44192.168.2.6
Apr 20, 2021 09:55:56.162945986 CEST497578843192.168.2.689.108.71.148
Apr 20, 2021 09:55:56.244903088 CEST88434975789.108.71.148192.168.2.6
Apr 20, 2021 09:55:56.753408909 CEST497578843192.168.2.689.108.71.148
Apr 20, 2021 09:55:56.836299896 CEST88434975789.108.71.148192.168.2.6
Apr 20, 2021 09:55:57.347174883 CEST497578843192.168.2.689.108.71.148
Apr 20, 2021 09:55:57.432483912 CEST88434975789.108.71.148192.168.2.6
Apr 20, 2021 09:55:57.555047035 CEST497588843192.168.2.6221.132.35.56
Apr 20, 2021 09:56:00.566162109 CEST497588843192.168.2.6221.132.35.56

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Dridex.exe PID: 6616 Parent PID: 5872

General

Start time:09:53:56
Start date:20/04/2021
Path:C:\Users\user\Desktop\Dridex.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\Dridex.exe'
Imagebase:0x400000
File size:176128 bytes
MD5 hash:6E5654DA58C03DF6808466F0197207ED
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: Dridex.exe PID: 6660 Parent PID: 6616

General

Start time:09:53:58
Start date:20/04/2021
Path:C:\Users\user\Desktop\Dridex.exe
Wow64 process (32bit):true
Commandline:C:\Users\user\Desktop\Dridex.exe
Imagebase:0x400000
File size:176128 bytes
MD5 hash:6E5654DA58C03DF6808466F0197207ED
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Disassembly

Code Analysis

Reset < >