Overview
overview
10Static
static
10The-MALWAR...ot.exe
windows7-x64
10The-MALWAR...ot.exe
windows10-2004-x64
10The-MALWAR...ll.exe
windows7-x64
10The-MALWAR...ll.exe
windows10-2004-x64
10The-MALWAR...BS.exe
windows7-x64
10The-MALWAR...BS.exe
windows10-2004-x64
10The-MALWAR...in.exe
windows7-x64
7The-MALWAR...in.exe
windows10-2004-x64
7The-MALWAR....A.exe
windows7-x64
7The-MALWAR....A.exe
windows10-2004-x64
7The-MALWAR....A.exe
windows7-x64
10The-MALWAR....A.exe
windows10-2004-x64
10The-MALWAR....A.dll
windows7-x64
7The-MALWAR....A.dll
windows10-2004-x64
6TheG0df2th...t.docm
windows7-x64
10TheG0df2th...t.docm
windows10-2004-x64
10The-MALWAR...r.xlsm
windows7-x64
10The-MALWAR...r.xlsm
windows10-2004-x64
10The-MALWAR...36c859
ubuntu-24.04-amd64
8The-MALWAR...caa742
ubuntu-24.04-amd64
8The-MALWAR...c1a732
ubuntu-22.04-amd64
8The-MALWAR...57c046
ubuntu-22.04-amd64
8The-MALWAR...4cde86
ubuntu-22.04-amd64
8The-MALWAR...460a01
ubuntu-24.04-amd64
8The-MALWAR...ece0c5
ubuntu-24.04-amd64
8The-MALWAR...257619
ubuntu-22.04-amd64
8The-MALWAR...fbcc59
ubuntu-24.04-amd64
8The-MALWAR...54f69c
ubuntu-24.04-amd64
8The-MALWAR...d539a6
ubuntu-24.04-amd64
8The-MALWAR...4996dd
ubuntu-24.04-amd64
8The-MALWAR...8232d5
ubuntu-22.04-amd64
8The-MALWAR...66b948
ubuntu-22.04-amd64
8Resubmissions
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
17/02/2025, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
Resource
ubuntu2204-amd64-20240729-en
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
Resource
ubuntu2204-amd64-20240729-en
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
-
Size
628KB
-
MD5
97a26d9e3598fea2e1715c6c77b645c2
-
SHA1
c4bf3a00c9223201aa11178d0f0b53c761a551c4
-
SHA256
e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
-
SHA512
acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
-
SSDEEP
12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1128 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bvqjtr = "\"C:\\Users\\Admin\\AppData\\Roaming\\WCrNABB\\javaws.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\yrqdf\wusa.exe cmd.exe File opened for modification C:\Windows\system32\yrqdf\wusa.exe cmd.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell Process not Found Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\gSffju.cmd" Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MSCFile\shell\open\command Process not Found -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 rundll32.exe 2512 rundll32.exe 2512 rundll32.exe 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found 1128 Process not Found -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1128 wrote to memory of 2812 1128 Process not Found 31 PID 1128 wrote to memory of 2812 1128 Process not Found 31 PID 1128 wrote to memory of 2812 1128 Process not Found 31 PID 1128 wrote to memory of 1248 1128 Process not Found 32 PID 1128 wrote to memory of 1248 1128 Process not Found 32 PID 1128 wrote to memory of 1248 1128 Process not Found 32 PID 1128 wrote to memory of 380 1128 Process not Found 34 PID 1128 wrote to memory of 380 1128 Process not Found 34 PID 1128 wrote to memory of 380 1128 Process not Found 34 PID 1128 wrote to memory of 2236 1128 Process not Found 35 PID 1128 wrote to memory of 2236 1128 Process not Found 35 PID 1128 wrote to memory of 2236 1128 Process not Found 35 PID 1128 wrote to memory of 1644 1128 Process not Found 37 PID 1128 wrote to memory of 1644 1128 Process not Found 37 PID 1128 wrote to memory of 1644 1128 Process not Found 37 PID 1644 wrote to memory of 1344 1644 eventvwr.exe 38 PID 1644 wrote to memory of 1344 1644 eventvwr.exe 38 PID 1644 wrote to memory of 1344 1644 eventvwr.exe 38 PID 1344 wrote to memory of 1936 1344 cmd.exe 40 PID 1344 wrote to memory of 1936 1344 cmd.exe 40 PID 1344 wrote to memory of 1936 1344 cmd.exe 40 PID 1128 wrote to memory of 1672 1128 Process not Found 41 PID 1128 wrote to memory of 1672 1128 Process not Found 41 PID 1128 wrote to memory of 1672 1128 Process not Found 41 PID 1672 wrote to memory of 1856 1672 cmd.exe 43 PID 1672 wrote to memory of 1856 1672 cmd.exe 43 PID 1672 wrote to memory of 1856 1672 cmd.exe 43 PID 1128 wrote to memory of 2916 1128 Process not Found 44 PID 1128 wrote to memory of 2916 1128 Process not Found 44 PID 1128 wrote to memory of 2916 1128 Process not Found 44 PID 2916 wrote to memory of 2944 2916 cmd.exe 46 PID 2916 wrote to memory of 2944 2916 cmd.exe 46 PID 2916 wrote to memory of 2944 2916 cmd.exe 46 PID 1128 wrote to memory of 2928 1128 Process not Found 47 PID 1128 wrote to memory of 2928 1128 Process not Found 47 PID 1128 wrote to memory of 2928 1128 Process not Found 47 PID 2928 wrote to memory of 1480 2928 cmd.exe 49 PID 2928 wrote to memory of 1480 2928 cmd.exe 49 PID 2928 wrote to memory of 1480 2928 cmd.exe 49 PID 1128 wrote to memory of 112 1128 Process not Found 51 PID 1128 wrote to memory of 112 1128 Process not Found 51 PID 1128 wrote to memory of 112 1128 Process not Found 51 PID 112 wrote to memory of 1308 112 cmd.exe 53 PID 112 wrote to memory of 1308 112 cmd.exe 53 PID 112 wrote to memory of 1308 112 cmd.exe 53 PID 1128 wrote to memory of 1780 1128 Process not Found 54 PID 1128 wrote to memory of 1780 1128 Process not Found 54 PID 1128 wrote to memory of 1780 1128 Process not Found 54 PID 1780 wrote to memory of 952 1780 cmd.exe 56 PID 1780 wrote to memory of 952 1780 cmd.exe 56 PID 1780 wrote to memory of 952 1780 cmd.exe 56 PID 1128 wrote to memory of 2520 1128 Process not Found 57 PID 1128 wrote to memory of 2520 1128 Process not Found 57 PID 1128 wrote to memory of 2520 1128 Process not Found 57 PID 2520 wrote to memory of 2780 2520 cmd.exe 59 PID 2520 wrote to memory of 2780 2520 cmd.exe 59 PID 2520 wrote to memory of 2780 2520 cmd.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
C:\Windows\system32\javaws.exeC:\Windows\system32\javaws.exe1⤵PID:2812
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\97k.cmd1⤵PID:1248
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵PID:380
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CNl.cmd1⤵
- Drops file in System32 directory
PID:2236
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\gSffju.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Fvvls" /TR C:\Windows\system32\yrqdf\wusa.exe /SC minute /MO 60 /RL highest3⤵
- Scheduled Task/Job: Scheduled Task
PID:1936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Fvvls"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Fvvls"2⤵PID:1856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Fvvls"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Fvvls"2⤵PID:2944
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Fvvls"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Fvvls"2⤵PID:1480
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Fvvls"1⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Fvvls"2⤵PID:1308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Fvvls"1⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Fvvls"2⤵PID:952
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Fvvls"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Fvvls"2⤵PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235B
MD531d01f63571e442d1816527c1c3c6ad5
SHA1828b8f98705f1ec31d33e4f838c0db3e6ca7dcee
SHA256e3b61fddcca00e2927084518ba97f60751afcabc422bf1fa6aba0f990dd8e1c6
SHA51276fec6e00ac8d13bcf42c7d0ddd1fc584843f91b348162fc0ca2112a0dbec0043e52e9c9a1508bccf0701dfa039af173e044d9553e9c9a98fa73c988df47899b
-
Filesize
195B
MD53e3f98a2b64de4bf107d3dbddb468f57
SHA1d2ec7c90e22d81ac455debdc2cfd7840b05fa4e3
SHA2562f52d026a8d67f58368f91610dbdae80b5081fb82089c33a3d035e3e30bdba5a
SHA512b796b64f1b9877d73b9326114aca95928e07228f84393553b5b7bdfb6199da60c67c7541efe6abff893ed23a5b423b8b07fb5209466790fe402e2499f42792a3
-
Filesize
119B
MD53ac81e1f6e68bedc4ae629164dad5bc5
SHA1a0a84461ab27621123dd20cdfd9436b2413508ba
SHA256ae2e0fe3c421b0046af1b1ceaf8e5a13a6beb1343bf58f35d745d8713d5d3b9e
SHA5121fa5ac8064817d389652672065e7d4b12cd2bd703f335bc06ec39f8b400c329718c6de2014c46a6c46df7e29a44fbffffd0219c7c7e13f2bad2fe33f5498682a
-
Filesize
628KB
MD58442d5d45d2bdc15fd4b04639d1f35ac
SHA1c47a8e4de801e39478023123bcb1fbae012e1bc4
SHA256b001d3c130f416be910f4bc1f523457d48ed7aa886fb4d83f041658ad93c33bf
SHA512995c71d36b96c58de90094ec329979f115cd6220b439daaa68eada05d06c23013f1faa90491155ca587988f8776cbdab5232a3d7dadd23d2026fc1b969c6abe8
-
Filesize
628KB
MD57dcea9cc58a85910c71a78eb8bc5483c
SHA131065803ef56b42d06493174330e49c17d4f688d
SHA2564caad9c94e07ccbba02f9bec0bc287bbb741cfc3eb88feb1a14fcddac1ee4885
SHA5122053a7ec25f9969f6a42f08bf2610e0af80a96f147e95e62fe56207160f27f7d6c4c3bb77d5aaec0dd156b592ffb88ff49a652bb11909f77e5e09470981ef2ff
-
Filesize
880B
MD5508ace1e1526c8030becacb6077963de
SHA1c400afd4ce3f9b56891fa607149089189a48754e
SHA256e886e38b530ec48226a4d7530aa61718b061f1f12e8eb3e923ea4fcd0c74c0bf
SHA5128d2ac93acc1f7c4c624f946ef62dcd7710a26c55430229626ddc656d8a0f4d67c007ebddf1dde8ae63b06d02565ce16314fd8631077edab398e8617aa10561eb
-
Filesize
312KB
MD5f94bc1a70c942621c4279236df284e04
SHA18f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA51260edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52