MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b769568e3dd1c84f72d08e19c7ff0afb8efaa1ebcff6d6c8d689769bd3ef9a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	1b769568e3dd1c84f72d08e19c7ff0afb8efaa1ebcff6d6c8d689769bd3ef9a4
SHA3-384 hash:	045c29662ad90d385c00decf1fdb398d7e643cac4419e0fdb772661b8eef29f01decadcadcb2bb7a03c55ac36db83ff5
SHA1 hash:	b5cc859243a5e40ef161325e91c68e2dac9c0be8
MD5 hash:	dbff5c4e68ebb165a92a9a911df28065
humanhash:	early-mobile-october-sierra
File name:	fix.exe
Download:	download sample
Signature	Dridex Create hunting rule
File size:	172'032 bytes
First seen:	2021-07-08 18:44:56 UTC
Last seen:	2021-07-09 01:02:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e8318ff06c9300056690aa13be7e49b2 (2 x Dridex)
ssdeep	3072:vWanzQJH775FX6YhBPxzo26AHHMTDDI22LlY2cf/Kk7A:vWac1pto2biDI26lm
Threatray	4'564 similar samples on MalwareBazaar
TLSH	T186F3F134775F29E6CD4805351360A89FEE8B6792C50D3AE39E31CC13EE4AB62B4B3416
Reporter	Anonymous
Tags:	Dridex exe

Anonymous

E-mail subject: "Kaseya update information about incident xxxxxxx from response team."

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://cdn.discordapp.com/attachments/862495073048199190/862600282641661982/fix.exe

Verdict:

No threats detected

Analysis date:

2021-07-09 00:27:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/caba5ecb-c10d-457a-87c6-8ee20b1250a3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DridexLoader

Link:

https://www.capesandbox.com/analysis/170546/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.30374.8410.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dridex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93962c64-b0cc-4dd3-a6fb-5a20509b9131

Result

Threat name:

Dridex

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/813708

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect virtualization through RDTSC time measurements

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b769568e3dd1c84f72d08e19c7ff0afb8efaa1ebcff6d6c8d689769bd3ef9a4/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2021-07-08 17:54:31 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Verdict:

malicious

Label(s):

doppeldridex

Dridex

40425542abe4fe6fe4c8fd55571bdb0b1d60cc2b2cd859bcb51a1ebfc5e76e3f

Dridex

4ec406d75588c4e395c1a5b93bf43da319684352061cf42876c704d92a52df92

Dridex

60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe

Dridex

635bda46af22563c2c46cbd6d4768f6544758876e8e8fdf859f73730dd7a4112

Dridex

9ff01c0edcf9082323a22fc225b4f2f7c9ff6d5b1f7c8d76c94da83b4c37ec25

Dridex

bf18f7795978afc865f65d3e4618289a9a2f983dcb8f554c233354cfe7ab5f52

Dridex

d7f98d07bf92683805e0ad58ff9035246409c9198659d00c7c2c3465ba3d04a4

Dridex

eced91f3ea5c7d6648f7033d82724cc7c33a3a88a051d19676a4494cf44260a2

Dridex

+ 4'554 additional samples on MalwareBazaar

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:22202 botnet evasion loader trojan

Link:

https://tria.ge/reports/210708-y5n83ef1ke/

Behaviour

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

164.68.126.207:23399
150.95.20.209:3978
107.170.211.239:4664

Unpacked files

SH256 hash:

8e16644bf8f6ab60eb4b589256c9e9e00cefab1b35751d96d2718c157832bb83

MD5 hash:

10f268a5d962cfc30ff8eecfd16962d9

SHA1 hash:

6f1054ddac73d3195a332f1b3510c335766443d1

Detections:

win_doppeldridex_auto

Link:

https://www.unpac.me/results/1ce0338d-bcbf-46c0-983e-462056663404/

SH256 hash:

1b769568e3dd1c84f72d08e19c7ff0afb8efaa1ebcff6d6c8d689769bd3ef9a4

MD5 hash:

dbff5c4e68ebb165a92a9a911df28065

SHA1 hash:

b5cc859243a5e40ef161325e91c68e2dac9c0be8

Link:

https://www.unpac.me/results/1ce0338d-bcbf-46c0-983e-462056663404/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b769568e3dd1c84f72d08e19c7ff0afb8efaa1ebcff6d6c8d689769bd3ef9a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DridexLoader Create hunting rule
Author:	kevoreilly
Description:	Dridex v4 dropper C2 parsing function

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/170546/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample