MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc
SHA3-384 hash: 7f076d16bf58dba85991776d1758c77c795ee66d5293c06917f0d43d6263a3e8722371bd8e6c7c32ee878726f6cc136d
SHA1 hash: ff50e4396399178914c64653f33617a7c4f6df61
MD5 hash: a19e9a48a5adb409f2eed82694231a7a
humanhash: music-oven-helium-freddie
File name:aejmelvv.dll
Download: download sample
Signature Dridex
Create hunting rule
File size:532'480 bytes
First seen:2020-11-16 16:17:49 UTC
Last seen:2020-11-17 13:24:43 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d86c9caa2005654f598f605480e6a377 (1 x Dridex)
ssdeep 12288:57NJ+YF9o74mw1VMRx9FH1ugS0wJfCjM+u3c7:7IYF7Exb1x8U
Threatray 129 similar samples on MalwareBazaar
TLSH 14B45A113651802DF32F8F3C9857E5F42AD6BC62993539E736D91DABEF2724398A0342
Reporter James_inthe_box
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.generic.ml.8397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/538151
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-11-16 16:16:52 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
00777c86e585397754f0e73a927bcaa3e39a4948d9bb28e758f0f5bfdac1eef4
Dridex
0be0253ef0653faeda6da8f44b05e5c63035d1142efd90d63b41568d28458959
Dridex
174c621f41276dd1732bb57b4e44aa0c5476ee3bf890a3ba0e02f7565d283d9c
Dridex
4ef049a69d2343a538b8563388f2a9f6838e8e864c6738b1e4934a4e377369a9
Dridex
79a3a7441a371606291f8bd47216a503b27a38ec61ba7604c9ba2597a54cc3d8
Dridex
8a0258361b87a73111afc4fb6f2cf121aa3a52122577a3692628e577ab202a34
Dridex
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
Dridex
b7416f6229dae7bc167f6f18c25b993c7c11a88a139a77178102bd7ca84c469c
Dridex
b775a1f8663e7bdeef07cdd7497b91fa82dd7ab1015d138b2aeb8b51e77d3895
Dridex
d554bef77e35bbaa325fc61e5bca1ae419f9b2222110c913eb09b9369563c061
Dridex
+ 119 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet discovery evasion loader trojan
Link:
https://tria.ge/reports/201116-4f24jker9j/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blacklisted process makes network request
Dridex Loader
Dridex
Malware Config
C2 Extraction:
77.220.64.53:443
172.96.190.154:4664
209.126.111.137:33443
167.99.158.82:33443
Unpacked files
SH256 hash:
fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc
MD5 hash:
a19e9a48a5adb409f2eed82694231a7a
SHA1 hash:
ff50e4396399178914c64653f33617a7c4f6df61
Link:
https://www.unpac.me/results/1c6460c2-7d45-489a-9a27-918f4f46cbab/
SH256 hash:
fba2f1f50ea44202fe8318b1efdafdc5c94cf638eb0e5a20b2c61f4e8b1ac22b
MD5 hash:
85c04b830d3c6eaced2b098358107637
SHA1 hash:
1a9c5f4ab79c65dd68c79474dcf90d1baad987bc
Link:
https://www.unpac.me/results/1c6460c2-7d45-489a-9a27-918f4f46cbab/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/823449/
  
URLhaus
https://urlhaus.abuse.ch/url/823459/
  
URLhaus
https://urlhaus.abuse.ch/url/823454/
  
URLhaus
https://urlhaus.abuse.ch/url/823474/
  
URLhaus
https://urlhaus.abuse.ch/url/823466/
  
URLhaus
https://urlhaus.abuse.ch/url/823448/
  
URLhaus
https://urlhaus.abuse.ch/url/823478/
  
URLhaus
https://urlhaus.abuse.ch/url/823460/
  
URLhaus
https://urlhaus.abuse.ch/url/823479/
  
URLhaus
https://urlhaus.abuse.ch/url/823452/
  
URLhaus
https://urlhaus.abuse.ch/url/823464/
  
URLhaus
https://urlhaus.abuse.ch/url/823473/
  
URLhaus
https://urlhaus.abuse.ch/url/823471/
  
URLhaus
https://urlhaus.abuse.ch/url/823446/
  
URLhaus
https://urlhaus.abuse.ch/url/823468/
  
URLhaus
https://urlhaus.abuse.ch/url/823470/
  
URLhaus
https://urlhaus.abuse.ch/url/823456/
  
URLhaus
https://urlhaus.abuse.ch/url/823450/
  
URLhaus
https://urlhaus.abuse.ch/url/823451/
  
URLhaus
https://urlhaus.abuse.ch/url/823461/
  
URLhaus
https://urlhaus.abuse.ch/url/823457/
  
URLhaus
https://urlhaus.abuse.ch/url/823467/
  
URLhaus
https://urlhaus.abuse.ch/url/823476/
  
URLhaus
https://urlhaus.abuse.ch/url/823453/
  
URLhaus
https://urlhaus.abuse.ch/url/823472/

Comments