Loading... Additional Content is being loaded
Windows Analysis Report 6ZV65nCMYQ
Overview
General Information
| Sample Name: | 6ZV65nCMYQ (renamed file extension from none to exe) |
| Analysis ID: | 448941 |
| MD5: | 622f4aa2d5e82438f3a40a35ab4902d5 |
| SHA1: | b486db47021575c47e7b130bed1ad70b8bf6a719 |
| SHA256: | 277089cb78a9c493cecd8f5fbe70df0577d4f9557fb8b55ff5f7c2505308ca3a |
| Tags: | 32exe |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Dridex Dropper
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Dridex dropper found
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
AV Detection: |
  |
|---|
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Machine Learning detection for sample |
| Source: |
Joe Sandbox ML: |
||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
Compliance: |
|
|---|
| Detected unpacking (overwrites its own PE header) |
| Source: |
Unpacked PE file: |
||
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
Networking: |
|
|---|
| C2 URLs / IPs found in malware configuration |
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| Source: |
IPs: |
||
| IP address seen in connection with other malware |
| Source: |
IP Address: |
||
| Source: |
IP Address: |
||
| Source: |
IP Address: |
||
| Internet Provider seen in connection with other malware |
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
E-Banking Fraud: |
|
|---|
| Dridex dropper found |
| Source: |
Signature Results: |
||
| Yara detected Dridex unpacked file |
| Source: |
File source: |
||
| Source: |
File source: |
||
System Summary: |
|
|---|
| Abnormal high CPU Usage |
| Source: |
Process Stats: |
||
| Contains functionality to call native functions |
| Source: |
Code function: |
0_2_10012840 | |
| Source: |
Code function: |
0_2_1001223C | |
| Source: |
Code function: |
0_2_1000BB88 | |
| Detected potential crypto function |
| Source: |
Code function: |
0_2_10010754 | |
| Source: |
Code function: |
0_2_10011460 | |
| Source: |
Code function: |
0_2_1000846C | |
| Source: |
Code function: |
0_2_10001494 | |
| Source: |
Code function: |
0_2_1000A52C | |
| Source: |
Code function: |
0_2_10011D58 | |
| Source: |
Code function: |
0_2_10019348 | |
| Sample file is different than original file name gathered from version info |
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Uses 32bit PE files |
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Classification label: |
||
| Source: |
Static PE information: |
||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Virustotal: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Static PE information: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
Data Obfuscation: |
|
|---|
| Detected unpacking (changes PE section rights) |
| Source: |
Unpacked PE file: |
||
| Detected unpacking (overwrites its own PE header) |
| Source: |
Unpacked PE file: |
||
| Uses code obfuscation techniques (call, push, ret) |
| Source: |
Code function: |
0_2_1000F6CD | |
| Source: |
Static PE information: |
||
Malware Analysis System Evasion: |
|
|---|
| Tries to delay execution (extensive OutputDebugStringW loop) |
| Source: |
Section loaded: |
||
| Tries to detect sandboxes / dynamic malware analysis system (file name check) |
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Tries to detect virtualization through RDTSC time measurements |
| Source: |
RDTSC instruction interceptor: |
||
| Source: |
RDTSC instruction interceptor: |
||
| Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
| Source: |
Window / User API: |
Jump to behavior | ||
| May sleep (evasive loops) to hinder dynamic analysis |
| Source: |
Thread sleep count: |
Jump to behavior | ||
| Program does not show much activity (idle) |
| Source: |
Thread injection, dropped files, key value created, disk infection and DNS query: |
||
| Sample execution stops while process was sleeping (likely an evasion) |
| Source: |
Last function: |
||
| Source: |
Last function: |
||
| Source: |
Code function: |
0_2_10010754 | |
Anti Debugging: |
|
|---|
| Found potential dummy code loops (likely to delay analysis) |
| Source: |
Process Stats: |
||
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
| Source: |
Code function: |
0_2_10019AB4 | |
| Contains functionality to check if a debugger is running (OutputDebugString,GetLastError) |
| Source: |
Code function: |
0_2_10006D50 | |
| Program does not show much activity (idle) |
| Source: |
Thread injection, dropped files, key value created, disk infection and DNS query: |
||
| Source: |
Code function: |
0_2_10013110 | |
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
Language, Device and Operating System Detection: |
|
|---|
| Contains functionality to query locales information (e.g. system language) |
| Source: |
Code function: |
0_2_10006D50 | |
| Source: |
Code function: |
0_2_10006D50 | |
| Source: |
Key value queried: |
Jump to behavior | ||
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Contacted Public IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 78.46.78.42 | unknown | Germany | 24940 | HETZNER-ASDE | true | |
| 202.29.60.34 | unknown | Thailand | 24344 | CMRU-AS-APChiangmaiRajabhatUniversityTH | true | |
| 66.175.217.172 | unknown | United States | 63949 | LINODE-APLinodeLLCUS | true |