Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ciao

Overview

General Information

Sample Name:ciao (renamed file extension from none to exe)
Analysis ID:586535
MD5:2950930fd9685a9a7d26c965c529b60f
SHA1:9ce522284f4ed862d0815968c91451f074b85e81
SHA256:484573512eb4bf8cbfd85c4b209bc12bfc17cd873d733cfc4b49ce13914b9443
Infos:

Detection

Dridex CryptOne
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected Dridex e-Banking trojan
Yara detected CryptOne packer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ciao.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\ciao.exe" MD5: 2950930FD9685A9A7D26C965C529B60F)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
    00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.ciao.exe.2240000.1.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0.2.ciao.exe.400000.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            0.2.ciao.exe.2240000.1.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              0.2.ciao.exe.400000.0.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: ciao.exeAvira: detected
                Found malware configuration
                Source: 0.2.ciao.exe.2240000.1.raw.unpackMalware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}
                Multi AV Scanner detection for submitted file
                Source: ciao.exeMetadefender: Detection: 32%Perma Link
                Source: ciao.exeReversingLabs: Detection: 92%
                Machine Learning detection for sample
                Source: ciao.exeJoe Sandbox ML: detected

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\ciao.exeUnpacked PE file: 0.2.ciao.exe.400000.0.unpack
                Source: ciao.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042CEF8 FindFirstFileExW,0_2_0042CEF8

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 172.104.87.236:1512
                Source: Malware configuration extractorIPs: 111.230.104.169:3388
                Source: Malware configuration extractorIPs: 103.199.16.245:1512
                Source: Malware configuration extractorIPs: 123.206.58.135:8172
                Source: global trafficTCP traffic: 192.168.2.5:49780 -> 111.230.104.169:3388
                Source: global trafficTCP traffic: 192.168.2.5:49789 -> 103.199.16.245:1512
                Source: global trafficTCP traffic: 192.168.2.5:49793 -> 123.206.58.135:8172
                Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: ciao.exe, 00000000.00000002.694824738.000000000009D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://123.206.58.135:8172/h
                Source: unknownDNS traffic detected: queries for: store-images.s-microsoft.com

                E-Banking Fraud

                barindex
                Yara detected Dridex unpacked file
                Source: Yara matchFile source: 0.2.ciao.exe.2240000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.2240000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Detected Dridex e-Banking trojan
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,0_2_00405150