MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1718966d91a317e8d16a0015e8f24c295f8ce978af37acef7cdbc9d76934c100. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	1718966d91a317e8d16a0015e8f24c295f8ce978af37acef7cdbc9d76934c100
SHA3-384 hash:	87ff587951ea5775f696e2f4eb3a950d0974e492882363ba62fd3becd1a455a8839c5a4badd3e75dc73cde940da45b61
SHA1 hash:	506aca93e90417e91bdf5cde5095aa07de62acae
MD5 hash:	63922c2487337188b76e721d86ba1a4f
humanhash:	echo-speaker-network-charlie
File name:	hsy_utu8_12u_v4.4.7.0 (3).dll
Download:	download sample
Signature	Dridex Create hunting rule
File size:	179'200 bytes
First seen:	2021-07-27 07:47:44 UTC
Last seen:	2021-07-27 08:46:18 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	038ee71bd4ea63acaf586d3475ef17a1 (6 x Dridex)
ssdeep	3072:syY5bY8XE+kkqh84cKcv4FinaLzL2rVQLOmpvNbTAvDstOr18T:PRAkkk84e4wne2nmhFAvD4O
Threatray	8'782 similar samples on MalwareBazaar
TLSH	T1CE04CF51D2DF2AD9C41E87BC11947A0976707EC2CB68C078E266C4BCEF7BD4649E4326
Reporter	JAMESWT_WT
Tags:	dll Dridex

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DridexLoader

Link:

https://www.capesandbox.com/analysis/174257/

Detection(s):

SecuriteInfo.com.Variant.Graftor.981531.28893.26846.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed1711c8-328d-44fd-b509-eb33e4c929f5

Result

Threat name:

Dridex

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/822176

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found PHP interpreter

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2021-07-26 20:51:51 UTC

File Type:

PE (Dll)

AV detection:

16 of 46 (34.78%)

Threat level:

5/5

Verdict:

malicious

Label(s):

doppeldridex

dridex

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:22201 botnet evasion loader trojan

Link:

https://tria.ge/reports/210727-vmmnqdmap2/

Behaviour

Suspicious use of WriteProcessMemory

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443

Unpacked files

SH256 hash:

73169a6c8dfe0ca7820193306f8aed8a5a34273e5ef2c77330e3d13dba0d86fb

MD5 hash:

653c4ff6f51f4312d6e4fe8878703136

SHA1 hash:

137a050ed6d1ccc078c3d7e9d8c84c5196158519

Detections:

win_doppeldridex_auto

Link:

https://www.unpac.me/results/823b532b-b6d5-4c06-8964-5a99cd8b6779/

SH256 hash:

5bf852452d813f27ecf1c13259164766b496f7882acad7794ad5844efe52a72c

MD5 hash:

d3f69f8c8abc8443ed4f96e49ffb6e19

SHA1 hash:

f5083b71c6b22de6592bcff17dfdbdeef3e69654

Detections:

win_dridex_auto

Link:

https://www.unpac.me/results/823b532b-b6d5-4c06-8964-5a99cd8b6779/

Parent samples :

b2bcb01b2c4755ae460bcd5d2b80bac2b487c6496f9d2db34a0f84a3ffe6084e
fbd108648a43add9a2e400640f3e60a7f31971d748ad0e3f8531a17fa328e7c6
1718966d91a317e8d16a0015e8f24c295f8ce978af37acef7cdbc9d76934c100
0f52e85eae79fb03bd9b391bc9753417cd066990a41251d385f55e2c9c7b4b53
ccde7438b5015713fef79809dd2fa46a1cd2ee5f81f53b322f3ec716dc6e4e38
438c66fb365afa484518a37f4c1ad95b9d5d4990ae6e84d3a3609dcba035a415

SH256 hash:

1718966d91a317e8d16a0015e8f24c295f8ce978af37acef7cdbc9d76934c100

MD5 hash:

63922c2487337188b76e721d86ba1a4f

SHA1 hash:

506aca93e90417e91bdf5cde5095aa07de62acae

Link:

https://www.unpac.me/results/823b532b-b6d5-4c06-8964-5a99cd8b6779/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/1718966d91a317e8d16a0015e8f24c295f8ce978af37acef7cdbc9d76934c100

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time