Play interactive tourEdit tour
Windows Analysis Report 3FLps29lWm
Overview
General Information
Detection
Dridex
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Sigma detected: System File Execution Location Anomaly
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Regsvr32 Command Line Without DLL
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
Registers a DLL
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
JoeSecurity_Dridex_2 | Yara detected Dridex unpacked file | Joe Security | ||
Click to see the 7 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: System File Execution Location Anomaly | Show sources |
Source: | Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: |
Sigma detected: Regsvr32 Command Line Without DLL | Show sources |
Source: | Author: Florian Roth: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | ||
Source: | Code function: |
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |