MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c
SHA3-384 hash: 23cadf6318c5f622b96be8864b91ce22709053162ac8ad9d059c776f9d497300ce0b866f31cefc3ec7b90678ac2cbcd1
SHA1 hash: d8ecfb993d473ebb0d2fe9633094debf777a3dd6
MD5 hash: 5b0f21ba7548263a4a7fe550a9126a2e
humanhash: early-salami-alpha-happy
File name:5b0f21ba7548263a4a7fe550a9126a2e
Download: download sample
Signature Dridex
Create hunting rule
File size:618'496 bytes
First seen:2021-10-13 13:43:09 UTC
Last seen:2021-10-13 16:20:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 0bdeed4a70b8b1fd5924130bfe75d8bf (3 x Dridex)
ssdeep 12288:3uIBXPwMtjp4CqwqyaXPLAfx38TW9DiWUT2tq017JGoLb+W/:eyb4wqyaDA5sTWiXT2tq07G2b/
Threatray 861 similar samples on MalwareBazaar
TLSH T17AD4F8013A54E821E7E955B6CF2AC6E85B183D48EFB1A4C778E17F0F2AA94F3D215305
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197222/
Detection(s):
SecuriteInfo.com.ML.PE-A.22973.13666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6166e2a61c2d58ba7404ce79/reports/90bec24a-206e-4e5d-a88e-49d87c23a04f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/352a4a31-ce84-4007-9a4e-a167c18689e1
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/869658
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Dridex e-Banking trojan
Found malware configuration
System process connects to network (likely due to code injection or exploit)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502082 Sample: RW8CBFWIXN Startdate: 13/10/2021 Architecture: WINDOWS Score: 80 30 Found malware configuration 2->30 32 Yara detected Dridex unpacked file 2->32 34 C2 URLs / IPs found in malware configuration 2->34 36 Connects to many ports of the same IP (likely port scanning) 2->36 7 loaddll32.exe 13 2->7         started        process3 dnsIp4 28 69.64.50.41, 49785, 49790, 49796 AS-30083-GO-DADDY-COM-LLCUS United States 7->28 40 Detected Dridex e-Banking trojan 7->40 11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 20 rundll32.exe 12 11->20         started        42 Detected Dridex e-Banking trojan 13->42 process8 dnsIp9 24 174.128.245.202, 443, 49772, 49773 ST-BGPUS United States 20->24 26 51.83.3.52, 13786, 49781, 49782 OVHFR France 20->26 38 System process connects to network (likely due to code injection or exploit) 20->38 signatures10
Detection:
dridex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 13:44:28 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
gozi
Create hunting rule
Similar samples:
09cceb619174c99d026734f860f26cda0107af31b9153a9f7d6613c86fd57772
Dridex
791252fc4def3c4c3bdb270633ffc88c0e2cd8e8e8ba299825a83841a273e7dd
Dridex
88a94091ec39cf0fcb60f326e81f2a12ac40c6f41072f04dd0088d9c435e2d31
Dridex
98b3fa8ad7143d6bfb754aeca00ded8ffe5789d7e4360f51841801906f5e5551
Dridex
9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac
Dridex
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
Dridex
b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d
Dridex
b9bb671587f2dad8a3df83d6bd0b7b8327edf93fadbefe8b6aa7eabe6698ae88
Dridex
c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82
Dridex
f14930c641c001377c3c4c468fc97ab43acde69287819c134d529d95c0fb7bb4
Dridex
+ 851 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10444 botnet discovery evasion trojan
Link:
https://tria.ge/reports/211013-q1t1daeafj/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blocklisted process makes network request
Dridex
Malware Config
C2 Extraction:
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Unpacked files
SH256 hash:
26bed99a3109c290b13c1a439ef135fe4ea23ec93e008f926d6e3e0ccdaf2329
MD5 hash:
7f8a62f751e87ea0e74b33b9ce800328
SHA1 hash:
42cb59c31e9db334967cfae4d09b3115e3d2ad92
Link:
https://www.unpac.me/results/44a94659-1a8d-491d-a49b-ae6d466d38c6/
SH256 hash:
022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c
MD5 hash:
5b0f21ba7548263a4a7fe550a9126a2e
SHA1 hash:
d8ecfb993d473ebb0d2fe9633094debf777a3dd6
Link:
https://www.unpac.me/results/44a94659-1a8d-491d-a49b-ae6d466d38c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1674009/
  
URLhaus
https://urlhaus.abuse.ch/url/1674028/
  
URLhaus
https://urlhaus.abuse.ch/url/1674056/
  
URLhaus
https://urlhaus.abuse.ch/url/1674064/
  
URLhaus
https://urlhaus.abuse.ch/url/1674083/
  
URLhaus
https://urlhaus.abuse.ch/url/1674094/
  
URLhaus
https://urlhaus.abuse.ch/url/1674079/
  
URLhaus
https://urlhaus.abuse.ch/url/1674032/
  
URLhaus
https://urlhaus.abuse.ch/url/1674048/
  
URLhaus
https://urlhaus.abuse.ch/url/1673963/
  
URLhaus
https://urlhaus.abuse.ch/url/1673986/
Cape
Cape
https://www.capesandbox.com/analysis/197222/
  
URLhaus
https://urlhaus.abuse.ch/url/1674014/
  
URLhaus
https://urlhaus.abuse.ch/url/1673953/

Comments


Avatar
zbet commented on 2021-10-13 13:43:09 UTC

url : hxxps://andresmarin.ottimosoft1.com/cyxttl.rar