MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef049a69d2343a538b8563388f2a9f6838e8e864c6738b1e4934a4e377369a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ef049a69d2343a538b8563388f2a9f6838e8e864c6738b1e4934a4e377369a9
SHA3-384 hash: 529a737fd958349a17ca1c083ba1c9f7773100352db56b4d864d2dbc0d39593351ddca8810d89b42df203191f3aef4fc
SHA1 hash: 4f2c2e15fbf3b683bc0dfe38353d2f7eee8632a4
MD5 hash: e16a166beb4c710daa177c316febf54c
humanhash: arkansas-saturn-oregon-winter
File name:Qdfo3phy.dll
Download: download sample
Signature Dridex
Create hunting rule
File size:684'544 bytes
First seen:2020-11-03 16:39:23 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 733041ed3d5d6f87a94127c182a02eb4 (1 x Dridex)
ssdeep 12288:PGrSYFvxuh5zxjz2w5wquy5mQyF6MAdLp0hwP5rGhihccNsaArwYk9gKcKs:PUvQ52QwquOyF3AzxNTMwf9gK3
Threatray 45 similar samples on MalwareBazaar
TLSH 72E4C0A175A3C465D021A931CC14D5FC02AE7D60EF26429B32CC7FBF3B719D06A3A566
Reporter James_inthe_box
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82096/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ef049a69d2343a538b8563388f2a9f6838e8e864c6738b1e4934a4e377369a9/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 16:39:01 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3yetju5enb2kofykyzyr4vj62by5dugjrttrmpesnfe4n3tnguq._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
00777c86e585397754f0e73a927bcaa3e39a4948d9bb28e758f0f5bfdac1eef4
Dridex
0be0253ef0653faeda6da8f44b05e5c63035d1142efd90d63b41568d28458959
Dridex
174c621f41276dd1732bb57b4e44aa0c5476ee3bf890a3ba0e02f7565d283d9c
Dridex
59bcb00ad3c245e8c5b1de2341cc494a469513019a972f874f775b2266cd5015
Dridex
8a0258361b87a73111afc4fb6f2cf121aa3a52122577a3692628e577ab202a34
Dridex
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
Dridex
b775a1f8663e7bdeef07cdd7497b91fa82dd7ab1015d138b2aeb8b51e77d3895
Dridex
b7a5135fb78a58682cc0de111468bb007d1f8c78bbd561d3f155809b6e991a29
Dridex
c8a95eea1d734b39f042f0e2896111802e82621f6d5759e57420ccb03a07964b
Dridex
fa4745a9f86a7516cc6fdf77834b1b9ab83ba3a29743461eabe2bec180c9de86
Dridex
+ 35 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet discovery evasion loader trojan
Link:
https://tria.ge/reports/201103-78l9k5mty6/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blacklisted process makes network request
Dridex Loader
Dridex
Malware Config
C2 Extraction:
195.154.237.245:443
46.105.131.73:8172
91.238.160.158:18443
213.183.128.99:3786
Unpacked files
SH256 hash:
4ef049a69d2343a538b8563388f2a9f6838e8e864c6738b1e4934a4e377369a9
MD5 hash:
e16a166beb4c710daa177c316febf54c
SHA1 hash:
4f2c2e15fbf3b683bc0dfe38353d2f7eee8632a4
Link:
https://www.unpac.me/results/6b3d792f-f577-4efe-bf29-12db0a1c02b9/
SH256 hash:
8eafb48cbcd99708f307fbd7028727aee85a13a1ff7beec269aaeba94af33e7f
MD5 hash:
00893cab10a32aee669706055419b836
SHA1 hash:
357d66f8297c0b81b449d52ade5ff092c9285327
Link:
https://www.unpac.me/results/6b3d792f-f577-4efe-bf29-12db0a1c02b9/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/82096/

Comments