MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5
SHA3-384 hash: 6cb5175b111b9f7b1afb09d561d733ddb5707c3c44d61db88ce7b6afd0a150b42127534052f7b91d876e676285d9a7c2
SHA1 hash: b66307632b49003601dc16671df883c14ecdd18a
MD5 hash: 9198ec7baef5f872e254564b5ab483e8
humanhash: beryllium-pennsylvania-cup-mountain
File name:9198ec7baef5f872e254564b5ab483e8
Download: download sample
Signature Dridex
Create hunting rule
File size:487'424 bytes
First seen:2021-12-06 15:07:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9259df85dc28e34e237d850d94b74d88 (4 x Dridex)
ssdeep 12288:uGAe6zhjzhVjTJVFRH3m0K0JRkyVnochOENqef6enkeb86t:utDzhjzhVjTJVFRH2L0JREn9zxZ6
Threatray 5'574 similar samples on MalwareBazaar
TLSH T1A1A4AF67D1A2CB1AF5CCA2F3921A018ADDB64A8482F547D40CE8DC564FB7687F1B0D39
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211845/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24603.18096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61ae2719fa72c81b5b0e8e4d/reports/447e10d9-7b86-43ad-91cf-3c44b9a44d38/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fab6a79d-5789-4ad2-8a6b-06ddf6b70109
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/902423
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534907 Sample: X8SqRN0xuu Startdate: 06/12/2021 Architecture: WINDOWS Score: 72 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Dridex unpacked file 2->27 29 2 other signatures 2->29 8 loaddll32.exe 13 2->8         started        process3 dnsIp4 17 23.246.204.126, 443, 49759, 49765 SOFTLAYERUS United States 8->17 19 172.105.78.60, 4664, 49764, 49768 LINODE-APLinodeLLCUS United States 8->19 21 2 other IPs or domains 8->21 11 cmd.exe 1 8->11         started        process5 process6 13 rundll32.exe 11->13         started        process7 15 WerFault.exe 23 9 13->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 15:07:13 UTC
File Type:
PE (Dll)
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
5c4a8170fd811f2dbe2019a738a51598d6f874ed84626aef1b9786dc064014c3
Dridex
6d22c025dfc9ae47f722194f0c139b393e538c9ed467557476be20f19d7e7089
Dridex
7dd71dac4d68a8d49db4b0077f38225b597591ee52f96fd832acfa552d166979
Dridex
7e4eb05983026790d6874df967ef5d1d00fcea1e2841a8f7d333b727d3d8dcf4
Dridex
b7c8fa282d0db4cb510325a4183dae5fd229b2e4f47b827a2d3cddd8889feb41
Dridex
d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b
Dridex
dc764bcf7c82b8e21be4e6ab57217dea8edce6259c724f5605546e50549a2b99
Dridex
fd7658cdf31389ef24c2767f2f909a4b71de55a1232e84c0575675df7bb2faf7
Dridex
+ 5'564 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10444 botnet loader
Link:
https://tria.ge/reports/211206-shbgesedaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Malware Config
C2 Extraction:
23.246.204.126:443
151.106.39.36:8116
103.124.144.123:6891
172.105.78.60:4664
Unpacked files
SH256 hash:
477cf0b53ae5c85fd5aeceec995dfdd6ec7701006e8dce24b2cf3ff75e8a597c
MD5 hash:
2916685b9c2fe0f0be68704a49ea08c2
SHA1 hash:
3397badcfb469e7ef590e15187057f4e5b96727c
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e8badba-27f7-4ff8-b3f7-01ae1a0e1cec/
SH256 hash:
e80d18e8efc6e81562b62978aef33f818624ed7c4e222ad7355b859e2efac890
MD5 hash:
384947f93eb747f35b2297bc96e805fc
SHA1 hash:
6d432b1feac2c07af1cec4ebfc36981832993143
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e8badba-27f7-4ff8-b3f7-01ae1a0e1cec/
Parent samples :
5c4a8170fd811f2dbe2019a738a51598d6f874ed84626aef1b9786dc064014c3
0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5
17d3434c35717f1cc1926b06ae19af411b520fdb1e259c1097d264d4f64a2197
32e6090617d7d8889307524f08db7aa84291be954907b016f700b13b99754a56
SH256 hash:
0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5
MD5 hash:
9198ec7baef5f872e254564b5ab483e8
SHA1 hash:
b66307632b49003601dc16671df883c14ecdd18a
Link:
https://www.unpac.me/results/2e8badba-27f7-4ff8-b3f7-01ae1a0e1cec/
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0f563add346f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 0f563add346f7f8f986ab89b26be41a60e9e85bd142d3d82f9ae09a90725f4b5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1859289/
  
URLhaus
https://urlhaus.abuse.ch/url/1859176/
  
URLhaus
https://urlhaus.abuse.ch/url/1859253/
Cape
Cape
https://www.capesandbox.com/analysis/211845/

Comments


Avatar
zbet commented on 2021-12-06 15:07:04 UTC

url : hxxps://discord.eduassist.asia/wvtl2su96.tar