MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1
SHA3-384 hash:	6d26f82c627c896665720938288888d1fdd3e763ab75cb8683a7e678815d0e43a38bc5960b6294af9f8f35f94a3e65b5
SHA1 hash:	9f01d4442c495c7128649b98201187bc0c58dedd
MD5 hash:	6a8401448a5bd2b540850f811b20a66d
humanhash:	spaghetti-maryland-artist-mississippi
File name:	frix.exe
Download:	download sample
Signature	Dridex Create hunting rule
File size:	212'992 bytes
First seen:	2020-04-23 18:16:14 UTC
Last seen:	2020-04-23 18:48:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7ebef1081a372c6e6f289d7c633f4f3a (1 x Dridex)
ssdeep	3072:KNrKrKlirGivgt0OpAIL7IDr64J/GUAowkofDHSUEMFOfWH/iqIHWHRvVg:aOrciYKBIIPGU9wkgSUPFOwtHL
Threatray	112 similar samples on MalwareBazaar
TLSH	502412F8CB7AA4C6ED97553220A12527FF6E7C36D611C1668C1711E9E68D7CC2E30712
Reporter	abuse_ch
Tags:	Dridex exe GMX

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/2050/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Expiro.dc.8591.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2020-04-23 18:25:00 UTC

File Type:

PE (Exe)

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c6f2kzfttpihk57josu3m5673bx7uhy5akm57wky5oedyxxwypqq._file

Verdict:

malicious

Label(s):

dridex

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dridex_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

xls 6819951a1717c1127a9a577740a66ad1dbfb68f04291c54ea4b60fe04d979e40

Dridex

exe 178ba564b39bd07577e974a9b677dfd86ffa1f1d0299dfd958eb883c5ef6c3e1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/349075/

Dropped by

MD5 dc7936f485e66d0629f80aa772d25d57

Dropped by

SHA256 6819951a1717c1127a9a577740a66ad1dbfb68f04291c54ea4b60fe04d979e40

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/2050/

Cape

https://www.capesandbox.com/analysis/2047/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::PrivilegeCheck
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExW
WIN_USER_API	Performs GUI Actions	USER32.dll::FindWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample