Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ciao

Overview

General Information

Sample Name:ciao (renamed file extension from none to exe)
Analysis ID:586535
MD5:2950930fd9685a9a7d26c965c529b60f
SHA1:9ce522284f4ed862d0815968c91451f074b85e81
SHA256:484573512eb4bf8cbfd85c4b209bc12bfc17cd873d733cfc4b49ce13914b9443
Infos:

Detection

Dridex CryptOne
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected Dridex e-Banking trojan
Yara detected CryptOne packer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • ciao.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\ciao.exe" MD5: 2950930FD9685A9A7D26C965C529B60F)
  • cleanup
{"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
    00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        SourceRuleDescriptionAuthorStrings
        0.2.ciao.exe.2240000.1.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0.2.ciao.exe.400000.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            0.2.ciao.exe.2240000.1.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              0.2.ciao.exe.400000.0.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                No Sigma rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: ciao.exeAvira: detected
                Source: 0.2.ciao.exe.2240000.1.raw.unpackMalware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}
                Source: ciao.exeMetadefender: Detection: 32%Perma Link
                Source: ciao.exeReversingLabs: Detection: 92%
                Source: ciao.exeJoe Sandbox ML: detected

                Compliance

                barindex
                Source: C:\Users\user\Desktop\ciao.exeUnpacked PE file: 0.2.ciao.exe.400000.0.unpack
                Source: ciao.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042CEF8 FindFirstFileExW,

                Networking

                barindex
                Source: Malware configuration extractorIPs: 172.104.87.236:1512
                Source: Malware configuration extractorIPs: 111.230.104.169:3388
                Source: Malware configuration extractorIPs: 103.199.16.245:1512
                Source: Malware configuration extractorIPs: 123.206.58.135:8172
                Source: global trafficTCP traffic: 192.168.2.5:49780 -> 111.230.104.169:3388
                Source: global trafficTCP traffic: 192.168.2.5:49789 -> 103.199.16.245:1512
                Source: global trafficTCP traffic: 192.168.2.5:49793 -> 123.206.58.135:8172
                Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: ciao.exe, 00000000.00000002.694824738.000000000009D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://123.206.58.135:8172/h
                Source: unknownDNS traffic detected: queries for: store-images.s-microsoft.com

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 0.2.ciao.exe.2240000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.2240000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,
                Source: ciao.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: ciao.exe, 00000000.00000002.695111803.0000000000473000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePSFTP: vs ciao.exe
                Source: ciao.exeBinary or memory string: OriginalFilenamePSFTP: vs ciao.exe
                Source: ciao.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ciao.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00405150
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004167C8
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00421020
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041D030
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004188C0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00418CC0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0040ACD0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041A0D0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004198DA
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041E0A0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042DCA0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004250A0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00424CA0
                S