MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de7aac41ca67fe226c8cced77b863944ac32ae99cd0eeada4ac85e5eb4ddfe76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	de7aac41ca67fe226c8cced77b863944ac32ae99cd0eeada4ac85e5eb4ddfe76
SHA3-384 hash:	ec95b1ac032f62791c02faa328ad5b15f5528a8774111f3e061491fd52f7fb48cd12fa6f16844abcc80ae2b9622aa56d
SHA1 hash:	4aa8422fe71bc943e8ef35e53b592f1349dae989
MD5 hash:	986c42e6c33302d9c09029fb01cf1b6e
humanhash:	east-lima-harry-india
File name:	hw5ixzp.rar
Download:	download sample
Signature	Dridex Create hunting rule
File size:	942'080 bytes
First seen:	2021-02-17 21:34:52 UTC
Last seen:	2021-02-18 11:56:16 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	2b5af016caf77cb8f1d9180b332d8806 (11 x Dridex)
ssdeep	24576:X/WfnaVoffEQmyO378WTkvEKT9Hgce1BHbofCm:Puaq34yDWTkvvT9HgdbofC
Threatray	464 similar samples on MalwareBazaar
TLSH	D215E0007682C072D4A59774CD28D1FD8A69BE65CF2008EB73D43FAF3A755C18E35A6A
Reporter	fr0s7_
Tags:	dll Dridex

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117607/

Detection(s):

SecuriteInfo.com.Trojan.Dridex.735.23113.1245.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/610892

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de7aac41ca67fe226c8cced77b863944ac32ae99cd0eeada4ac85e5eb4ddfe76/

Threat name:

Win32.Infostealer.Dridex

Status:

Malicious

First seen:

2021-02-17 21:35:06 UTC

AV detection:

13 of 29 (44.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3z5kyqokm77ce3emz3lxxbrziswdfluzzuhovwskzbpf5ng57z3a._file

Verdict:

malicious

Label(s):

dridex

gozi

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:10444 botnet discovery evasion loader trojan

Link:

https://tria.ge/reports/210217-mxx7mwewna/

Behaviour

Suspicious use of WriteProcessMemory

Checks installed software on the system

Checks whether UAC is enabled

Blocklisted process makes network request

Dridex Loader

Dridex

Malware Config

C2 Extraction:

209.20.87.138:443
198.1.115.153:8172
151.236.29.248:6516

Unpacked files

SH256 hash:

de7aac41ca67fe226c8cced77b863944ac32ae99cd0eeada4ac85e5eb4ddfe76

MD5 hash:

986c42e6c33302d9c09029fb01cf1b6e

SHA1 hash:

4aa8422fe71bc943e8ef35e53b592f1349dae989

Link:

https://www.unpac.me/results/3b8237e7-968c-4858-a0df-c60f3b0fb30f/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.