Windows Analysis Report
ciao

Overview

General Information

Sample Name: ciao (renamed file extension from none to exe)
Analysis ID: 586535
MD5: 2950930fd9685a9a7d26c965c529b60f
SHA1: 9ce522284f4ed862d0815968c91451f074b85e81
SHA256: 484573512eb4bf8cbfd85c4b209bc12bfc17cd873d733cfc4b49ce13914b9443
Infos:

Detection

Dridex CryptOne
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected Dridex e-Banking trojan
Yara detected CryptOne packer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ciao.exe Avira: detected
Found malware configuration
Source: 0.2.ciao.exe.2240000.1.raw.unpack Malware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}
Multi AV Scanner detection for submitted file
Source: ciao.exe Metadefender: Detection: 32% Perma Link
Source: ciao.exe ReversingLabs: Detection: 92%
Machine Learning detection for sample
Source: ciao.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\ciao.exe Unpacked PE file: 0.2.ciao.exe.400000.0.unpack
Uses 32bit PE files
Source: ciao.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042CEF8 FindFirstFileExW, 0_2_0042CEF8

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 172.104.87.236:1512
Source: Malware configuration extractor IPs: 111.230.104.169:3388
Source: Malware configuration extractor IPs: 103.199.16.245:1512
Source: Malware configuration extractor IPs: 123.206.58.135:8172
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49780 -> 111.230.104.169:3388
Source: global traffic TCP traffic: 192.168.2.5:49789 -> 103.199.16.245:1512
Source: global traffic TCP traffic: 192.168.2.5:49793 -> 123.206.58.135:8172
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
Source: Joe Sandbox View ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.87.236
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.87.236
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.87.236
Source: unknown TCP traffic detected without corresponding DNS query: 111.230.104.169
Source: unknown TCP traffic detected without corresponding DNS query: 111.230.104.169
Source: unknown TCP traffic detected without corresponding DNS query: 111.230.104.169
Source: unknown TCP traffic detected without corresponding DNS query: 103.199.16.245
Source: unknown TCP traffic detected without corresponding DNS query: 103.199.16.245
Source: unknown TCP traffic detected without corresponding DNS query: 103.199.16.245
Source: unknown TCP traffic detected without corresponding DNS query: 123.206.58.135
Source: unknown TCP traffic detected without corresponding DNS query: 123.206.58.135
Source: unknown TCP traffic detected without corresponding DNS query: 123.206.58.135
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.87.236
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.87.236
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.87.236
Source: unknown TCP traffic detected without corresponding DNS query: 111.230.104.169
Source: unknown TCP traffic detected without corresponding DNS query: 111.230.104.169
Source: unknown TCP traffic detected without corresponding DNS query: 111.230.104.169
Source: unknown TCP traffic detected without corresponding DNS query: 103.199.16.245
Source: unknown TCP traffic detected without corresponding DNS query: 103.199.16.245
Source: unknown TCP traffic detected without corresponding DNS query: 103.199.16.245
Source: ciao.exe, 00000000.00000002.694824738.000000000009D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://123.206.58.135:8172/h
Source: unknown DNS traffic detected: queries for: store-images.s-microsoft.com

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 0.2.ciao.exe.2240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ciao.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ciao.exe.2240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ciao.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Detected Dridex e-Banking trojan
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, 0_2_00405150
Uses 32bit PE files
Source: ciao.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: ciao.exe, 00000000.00000002.695111803.0000000000473000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePSFTP: vs ciao.exe
Source: ciao.exe Binary or memory string: OriginalFilenamePSFTP: vs ciao.exe
PE file contains strange resources
Source: ciao.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ciao.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00405150 0_2_00405150
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004167C8 0_2_004167C8
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00421020 0_2_00421020
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041D030 0_2_0041D030
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004188C0 0_2_004188C0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00418CC0 0_2_00418CC0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0040ACD0 0_2_0040ACD0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041A0D0 0_2_0041A0D0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004198DA 0_2_004198DA
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041E0A0 0_2_0041E0A0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042DCA0 0_2_0042DCA0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004250A0 0_2_004250A0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00424CA0 0_2_00424CA0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00425CB0 0_2_00425CB0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00417564 0_2_00417564
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00401570 0_2_00401570
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041FDD0 0_2_0041FDD0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004289F0 0_2_004289F0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004271F0 0_2_004271F0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041D980 0_2_0041D980
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042D180 0_2_0042D180
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041C590 0_2_0041C590
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0040F9A0 0_2_0040F9A0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00421240 0_2_00421240
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041A660 0_2_0041A660
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00427660 0_2_00427660
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00422E60 0_2_00422E60
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00409E70 0_2_00409E70
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00419E70 0_2_00419E70
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0040CA10 0_2_0040CA10
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042FA10 0_2_0042FA10
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00420220 0_2_00420220
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042D620 0_2_0042D620
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00423EC0 0_2_00423EC0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042FA10 0_2_0042FA10
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00406AD0 0_2_00406AD0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004196D0 0_2_004196D0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041F6E0 0_2_0041F6E0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041B6F0 0_2_0041B6F0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00418EF0 0_2_00418EF0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004262F0 0_2_004262F0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041AE80 0_2_0041AE80
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00418AB0 0_2_00418AB0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00421EB0 0_2_00421EB0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004226B0 0_2_004226B0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041BF50 0_2_0041BF50
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00415B60 0_2_00415B60
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00423B00 0_2_00423B00
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00429B10 0_2_00429B10
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00421730 0_2_00421730
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004183C0 0_2_004183C0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00417FC0 0_2_00417FC0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00427FC0 0_2_00427FC0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0041E3F0 0_2_0041E3F0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_004122A0 NtDelayExecution, 0_2_004122A0
Source: ciao.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ciao.exe Metadefender: Detection: 32%
Source: ciao.exe ReversingLabs: Detection: 92%
Source: ciao.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ciao.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@1/0@1/4

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ciao.exe Unpacked PE file: 0.2.ciao.exe.400000.0.unpack .text:ER;.rdata:R;.text3:R;.text2:R;.data:W;.data3:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\ciao.exe Unpacked PE file: 0.2.ciao.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0044449F push ecx; ret 0_2_004444A0
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00444254 push ecx; retf 0_2_0044426B
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0222BBC0 push edx; ret 0_2_0222BD4E
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_022162ED pushad ; iretd 0_2_02216305
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_021F7192 push dword ptr [ebp+ecx*8-49h]; retf 0_2_021F7196
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0220F6ED push esi; ret 0_2_0220F6F7
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0221FB94 push esi; ret 0_2_0221FBAB
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_021F89BD push 00000369h; ret 0_2_021F8A48
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_021F89ED push 00000369h; ret 0_2_021F8A48
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_021F0EAF push esi; ret 0_2_021F0EB4
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_021F1D31 push FFFFFFD5h; ret 0_2_021F1D38
PE file contains sections with non-standard names
Source: ciao.exe Static PE information: section name: .text3
Source: ciao.exe Static PE information: section name: .text2
Source: ciao.exe Static PE information: section name: .data3
Source: initial sample Static PE information: section name: .text entropy: 7.42644876953
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ciao.exe Window / User API: foregroundWindowGot 1776 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -156000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -135000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -125000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -330000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -122000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe TID: 7044 Thread sleep time: -143000s >= -30000s Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\ciao.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\ciao.exe Last function: Thread delayed
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\ciao.exe Code function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW, 0_2_00405150
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_022088FD rdtsc 0_2_022088FD
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00413930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation, 0_2_00413930
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_0042CEF8 FindFirstFileExW, 0_2_0042CEF8
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_022088FD rdtsc 0_2_022088FD
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00416C50 KiUserExceptionDispatcher,LdrLoadDll, 0_2_00416C50
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00417A60 RtlAddVectoredExceptionHandler, 0_2_00417A60
Queries the installation date of Windows
Source: C:\Users\user\Desktop\ciao.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\ciao.exe Code function: 0_2_00412980 GetUserNameW, 0_2_00412980

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586535 Sample: ciao Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 10 store-images.s-microsoft.com 2->10 18 Found malware configuration 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 4 other signatures 2->24 6 ciao.exe 12 2->6         started        signatures3 process4 dnsIp5 12 172.104.87.236, 1512, 49774, 49795 LINODE-APLinodeLLCUS United States 6->12 14 103.199.16.245, 1512, 49789, 49798 GREENCLOUDVPS-AS-VN365Onlinetechnologyjointstockcompan Viet Nam 6->14 16 2 other IPs or domains 6->16 26 Detected Dridex e-Banking trojan 6->26 28 Detected unpacking (changes PE section rights) 6->28 30 Detected unpacking (overwrites its own PE header) 6->30 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
123.206.58.135
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true
103.199.16.245
 unknown Viet Nam
63734 GREENCLOUDVPS-AS-VN365Onlinetechnologyjointstockcompan true
111.230.104.169
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true
172.104.87.236
 unknown United States
63949 LINODE-APLinodeLLCUS true

Contacted Domains

Name IP Active
store-images.s-microsoft.com unknown unknown