MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c
SHA3-384 hash: 47238e5d3de1403eb08e416947071aef999bad460bcfe35a1145d6c57f0bfa6787fd298f3249e0a7a5ab8611a775c3ec
SHA1 hash: a5b0d7ce017812a8cf6232f6ee65e338804a8c6e
MD5 hash: 86cf23052839ce4955a9ca27d08b4b55
humanhash: march-ack-lithium-johnny
File name:86cf23052839ce4955a9ca27d08b4b55
Download: download sample
Signature Dridex
Create hunting rule
File size:177'664 bytes
First seen:2021-07-26 23:15:08 UTC
Last seen:2021-07-26 23:40:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 89aebe8644a760ddbd7c2e801228e7e5 (7 x Dridex)
ssdeep 3072:DENLuxQI4JTJlYDFS6t2NAgEaakq7MCi6TM7EzNfFln:DE5PB3ot2ygEasni6TM7EzN
Threatray 4'721 similar samples on MalwareBazaar
TLSH T1D104D061DBE759C5D7A3C57ACC8CA17BD1293C0B8A6CD27C6208D2CC897AF0CC6A4D95
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174214/
Detection(s):
SecuriteInfo.com.Variant.Graftor.972231.13045.8668.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9f31ff6-92da-413b-86d2-d90bc01a9d92
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/822054
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found PHP interpreter
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 21:37:25 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ciw2vyte4sfp5swp6oldgbihkfsy7fkx3ksk5a3tn5glp6xfr4oa._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
1a560adb810b924e65f91e34664166be2c2adac10f7f28c075d902e4adb1112c
Dridex
4fc754bd7957493e0b8e127e22cb4599f9ad57d8a581087cd697ae9ee90e6d55
Dridex
55bc0af1e99d0310ea3e8668aba02e4d3aa3c800b85fe304a6377968a4668cc1
Dridex
6ca95953e88828830e9cdecb6f56a1139d7678b3d2bf2c2e32c27ee01cece84e
Dridex
80012d65f11c6481e6e98a03016f5a69ed2ae210af24d810b7ce562318a9b116
Dridex
9f1ca49e69173b3b5df37bbb48f17ce6ad857f4acbb0261f3306c9b1d2232d19
Dridex
a51b5bab04a5b0f549dd27851e83550a47cd38abd109ee24bc1d96aae089d25c
Dridex
ac3cc428096079fe4572b77a4382eb28b48f7d30279adce3ba69a51f42fe1bd4
Dridex
cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
Dridex
e26c7e7c111e41d766ab313e1c4c0f17cbc9710aee23248b017735caf97f2a0e
Dridex
+ 4'711 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22202 botnet evasion loader trojan
Link:
https://tria.ge/reports/210726-mthcd6xmnx/
Behaviour
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443
Unpacked files
SH256 hash:
cdcc9b729ed60a4954aadb5b020f84054a488fb6f5591616473415109fe1d9ae
MD5 hash:
0e433b8a675c3f07d53132a88baebf40
SHA1 hash:
4f12d2600db3bfd850ff80f282d2ab2e724440ce
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/52747529-798d-4b89-995f-16ed8519235f/
Parent samples :
cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c
cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8
00072be4185289677e5babb9fda5279b5c2886683ebd7ea22d36f4bc9683b3e5
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d
581305130377c5a6cc8fe10f6e698758da36cfd857981dbb1da867f202429653
SH256 hash:
a1f23d6ac9c55193703f97ca25daffbd030e650b854d2765666192bbeca63d0e
MD5 hash:
c0aac9455f39536bb87c06cee8d6865a
SHA1 hash:
84dfa6301dd8043b6964f563e3710db237c568f9
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/52747529-798d-4b89-995f-16ed8519235f/
SH256 hash:
122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c
MD5 hash:
86cf23052839ce4955a9ca27d08b4b55
SHA1 hash:
a5b0d7ce017812a8cf6232f6ee65e338804a8c6e
Link:
https://www.unpac.me/results/52747529-798d-4b89-995f-16ed8519235f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLLLoader
Create hunting rule
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.dridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1483501/
Cape
Cape
https://www.capesandbox.com/analysis/174214/

Comments


Avatar
zbet commented on 2021-07-26 23:15:09 UTC

url : hxxp://immidiateupdatesolutions.one:8088/wp-content/button_EMsf4.png