MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 4 Comments 10

SHA256 hash: 97bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259d
SHA3-384 hash: 7af3e6aee7fea585cce370ed9ddff197867bb2bd5fe5bd63784fe68dbdafc582bd30829a4d65f962711f2e4dd20cd47f
SHA1 hash: c2c873baf147aa74843382a1e2dae33659bd49d5
MD5 hash: a243d9f801c9004299711a96ecdac4fc
humanhash: four-december-hot-artist
File name:.1869190279.Xls
Download: download sample
Signature Dridex
File size:68'096 bytes
First seen:2020-04-22 12:38:41 UTC
Last seen:2020-04-22 17:46:02 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:Lwh1Ynk3hbdlylKsgqopeJBWhZFGkE+cL2NdAH2cCXJXi1qKwZ368Ii1Gemg1wmc:Lwh1Ynk3hbdlylKsgqopeJBWhZFGkE+c
TLSH F363E7A2B7E9C906D9B61B354CF6C6A16736FC619F76C34F3244B31E1E326808912727
Reporter @abuse_ch
Tags:Dridex xls


Twitter
@abuse_ch
Malspam sent from unknown spam botnet, distributing Dridex. Various sending IPs and subjects. Example:

HELO:watv103042170142.watv.ne.jp
Sending IP: 103.42.170.142
From: UPS Update <upsbillingcenter9@ups.com>
Subject: Your UPS Invoice is Ready
Attachment: .1869190279.Xls

Intelligence


Mail intelligence
Trap location Impact
Global High
IT Italy Low
CH Switzerland High
# of uploads 3
# of downloads 57
Origin country CH CH
ClamAV TwinWave.EvilDoc.Dridex.20200420.UNOFFICIAL
Xls.Dropper.Agent-7682890-0
CERT.PL MWDB Gathering data
ReversingLabs :Status:Malicious
Threat name:Document-Word.Trojan.Rdn
First seen:2020-04-22 13:22:00 UTC
AV detection:19 of 31 (61.29%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
VirusTotal:Virustotal results 6.56%

Yara Signatures


Rule name:ach_Dridex_xls_20200522
Author:abuse.ch
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xls 97bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259d

(this sample)

  
Dropping
Dridex
  
Delivery method
Distributed via e-mail attachment

Comments



Avatar
Corsin Camichel commented on 2020-04-22 13:07:41 UTC

Malicious email
From: upsbillingcenter8@ups.com
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:43 +0200
Subject: Your UPS Invoice (status update)

Avatar
Corsin Camichel commented on 2020-04-22 13:07:36 UTC

Malicious email
From: upsbillingcenterh@ups.com
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:30 +0200
Subject: Reminder:Your UPS Invoice

Avatar
Corsin Camichel commented on 2020-04-22 13:07:30 UTC

Malicious email
From: UPS Billing Center <upsbillingcenter3@ups.com>
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:29 +0200
Subject: UPS invoice reminder

Avatar
Corsin Camichel commented on 2020-04-22 13:07:25 UTC

Malicious email
From: "UPS" <upsbillingcenterv@ups.com>
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:26 +0200
Subject: UPS invoice reminder

Avatar
Corsin Camichel commented on 2020-04-22 13:07:20 UTC

Malicious email
From: upsbillingcenter8@ups.com
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:43 +0200
Subject: Your UPS Invoice (status update)

Avatar
Corsin Camichel commented on 2020-04-22 13:07:15 UTC

Malicious email
From: upsbillingcenterh@ups.com
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:30 +0200
Subject: Reminder:Your UPS Invoice

Avatar
Corsin Camichel commented on 2020-04-22 13:07:07 UTC

Malicious email
From: UPS Billing Center <upsbillingcenter3@ups.com>
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:29 +0200
Subject: UPS invoice reminder

Avatar
Corsin Camichel commented on 2020-04-22 13:07:03 UTC

Malicious email
From: UPS Billing Center <upsbillingcenter3@ups.com>
Received: from 78-83-254-210.spectrumnet.bg (78-83-254-210.spectrumnet.bg [78.83.254.210])
Date: Wed, 22 Apr 2020 15:04:29 +0200
Subject: UPS invoice reminder

Avatar
Corsin Camichel commented on 2020-04-22 12:55:28 UTC

Malicious email
From: "UPS" <upsbillingcenterb@ups.com>
Received: from static-103-157-61-95.ipcom.comunitel.net (static-103-157-61-95.ipcom.comunitel.net [95.61.157.103])
Date: Wed, 22 Apr 2020 13:31:34 +0100
Subject: Your UPS Invoice is Ready

Avatar
abuse.ch commented on 2020-04-22 12:39:15 UTC

Dridex payload URL:
https://idemoten.com/?