MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d
SHA3-384 hash:	383a0c1e5b47da468257cb31b29a7868c4cc8844fd02dece1d5f9a006919597ff0db1c55b633e65479162bd2df407e8f
SHA1 hash:	fbbf4cd832b2dac5618d953e50a2f285ce529e39
MD5 hash:	f6d7184a7a5ea749feb9d767ba4ef007
humanhash:	fifteen-autumn-fruit-alanine
File name:	hsy_utu8_12u_v4.4.7.0.dll
Download:	download sample
Signature	Dridex Create hunting rule
File size:	177'664 bytes
First seen:	2021-07-27 08:37:48 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	89aebe8644a760ddbd7c2e801228e7e5 (7 x Dridex)
ssdeep	3072:m3NLuxQI4JTJlYDFS6t2NAgEaakq7MCi6TM7ELNfFln:m35PB3ot2ygEasni6TM7ELN
Threatray	4'734 similar samples on MalwareBazaar
TLSH	T19204D161DBE759C5D7A3C57ACC8CA17BD1293C0B8A6CD2BC6208D2CC897AF0CC5A4D95
Reporter	JAMESWT_WT
Tags:	dll Dridex

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DridexLoader

Link:

https://www.capesandbox.com/analysis/174284/

Detection(s):

SecuriteInfo.com.Variant.Graftor.972231.7350.5459.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2654d50-44a1-47fd-b075-339d93f41d03

Result

Threat name:

Dridex

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/822214

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found PHP interpreter

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2021-07-27 00:58:22 UTC

File Type:

PE (Dll)

AV detection:

18 of 46 (39.13%)

Threat level:

5/5

Verdict:

malicious

Label(s):

doppeldridex

dridex

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:22202 botnet evasion loader trojan

Link:

https://tria.ge/reports/210727-6xblmkn3e6/

Behaviour

Suspicious use of WriteProcessMemory

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

45.79.33.48:443
139.162.202.74:5007
68.183.216.174:7443

Unpacked files

SH256 hash:

cdcc9b729ed60a4954aadb5b020f84054a488fb6f5591616473415109fe1d9ae

MD5 hash:

0e433b8a675c3f07d53132a88baebf40

SHA1 hash:

4f12d2600db3bfd850ff80f282d2ab2e724440ce

Detections:

win_dridex_auto

Link:

https://www.unpac.me/results/c8b82b68-36ec-4a2c-845f-e759d41dc8f7/

Parent samples :

cbe76441844bd0b28afb2b183f52ef3bec4c2a4b26884219049ba2618a823989
122daae264e48afecacff39633050751658f9557daa4ae83736f4cb7fae58f1c
cf56df192c905336714c2295fd771cb2ed6ade7167705b0442bbc8dde72072e8
00072be4185289677e5babb9fda5279b5c2886683ebd7ea22d36f4bc9683b3e5
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d
581305130377c5a6cc8fe10f6e698758da36cfd857981dbb1da867f202429653

SH256 hash:

4f8bf98c11a6372ec2a2cd35cd51b50ae626d9e7e81f242ea681761bdf95a347

MD5 hash:

e1c2a1c8fd84875f870463eb48b34252

SHA1 hash:

dcc1f26f9762e2648fb2393572d7f7be02cffaaa

Detections:

win_doppeldridex_auto

Link:

https://www.unpac.me/results/c8b82b68-36ec-4a2c-845f-e759d41dc8f7/

SH256 hash:

19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d

MD5 hash:

f6d7184a7a5ea749feb9d767ba4ef007

SHA1 hash:

fbbf4cd832b2dac5618d953e50a2f285ce529e39

Link:

https://www.unpac.me/results/c8b82b68-36ec-4a2c-845f-e759d41dc8f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/19224bfca1af04c5548f61f93877dfdda1194f9a3b018385d72e5bb96cc8b00d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time