Play interactive tourEdit tour
Windows Analysis Report 4TWEQh2HJb
Overview
General Information
Detection
Dridex
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document exploit detected (creates forbidden files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office creates scripting files
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Dridex |
---|
{"Version": 22202, "C2 list": ["202.29.60.34:443", "66.175.217.172:13786", "78.46.78.42:9043"], "RC4 keys": ["RQTJGOuDHeSyUCWzdNRZi3fWMitWY9aTc", "2UMW8pusQXiNJDgmuPITkf4TmrOt3Y13lRDWnjBuu16JkzjIG6gNuckQDkiut9pzQHVGfFdlT"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_1 | Yara detected Dridex unpacked file | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | IPs: | ||
Source: | IPs: | ||
Source: | IPs: |
Uses known network protocols on non-standard ports | Show sources |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |