MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c06e49ba2ab6abd8c6d878772f3a01ab5ea69045c8eca7f6c9b154f40633629. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c06e49ba2ab6abd8c6d878772f3a01ab5ea69045c8eca7f6c9b154f40633629
SHA3-384 hash: 123ed6d088824afcff978a3ec85b0c8d404505e9f3e0cc60a4db3340db24d60e09e1032915392a024d5bb88529781ec5
SHA1 hash: 3ba404fa11f65580f08afaba118c46c1d4b6af8e
MD5 hash: 9453a84dc0320191c92ac4568968f211
humanhash: robin-ten-golf-monkey
File name:invoice_32.xll
Download: download sample
Signature Dridex
Create hunting rule
File size:652'288 bytes
First seen:2021-10-27 20:19:17 UTC
Last seen:2021-10-27 21:07:35 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep 12288:70Ws7IMtR4yVld8bzbBSre1hgFK/UqWIG:70bdkX17cLI
Threatray 5 similar samples on MalwareBazaar
TLSH T10FD46C55BECA6EA1EFBF47BB8361D62D0226735D03A1A6CF760305993951FC2443EA03
Reporter Racco42
Tags:dll Dridex xll

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200715/
Detection(s):
SecuriteInfo.com.Trojan.Generic.30567316.2235.16865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-vm greyware packed packed
Link:
https://www.filescan.io/uploads/6179b475db358dd15ee0c58a/reports/c89cae7b-e5f0-4fec-ae61-93748a1c262f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1aac4d14-fae7-490b-9673-2b8e2b34e3f4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/878125
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510559 Sample: invoice_32.xll Startdate: 27/10/2021 Architecture: WINDOWS Score: 52 31 Multi AV Scanner detection for submitted file 2->31 33 Initial sample is a PE file and has a suspicious name 2->33 7 loaddll32.exe 4 2->7         started        process3 process4 9 iexplore.exe 1 76 7->9         started        12 cmd.exe 1 7->12         started        14 regsvr32.exe 3 7->14         started        16 3 other processes 7->16 dnsIp5 29 192.168.2.1 unknown unknown 9->29 18 iexplore.exe 2 147 9->18         started        21 rundll32.exe 1 12->21         started        process6 dnsIp7 23 dart.l.doubleclick.net 142.250.186.70, 443, 49825, 49826 GOOGLEUS United States 18->23 25 geolocation.onetrust.com 104.20.185.68, 443, 49778, 49779 CLOUDFLARENETUS United States 18->25 27 10 other IPs or domains 18->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c06e49ba2ab6abd8c6d878772f3a01ab5ea69045c8eca7f6c9b154f40633629/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-10 20:19:57 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqdojg5cvnvl3ddnq6dxf45adk26u2ielshmu73mtmku6qddgyuq._file
Verdict:
malicious
Similar samples:
31372a551165ad128ef26b0ef3b83654822830772445f01e66919847a5454fca
Dridex
5938e3656b29d4fca8fa6c890e57e0a64a7591c4298453cb64391164afd483d2
Dridex
695a151194915dd1aaad61737b5eb1cc12f05529a7c53b6350403a0ac5cce7d3
Dridex
91d0e6bfeef38db996b0fbe3d1fdfc10826842a10c896646f5044c892b2c1665
Dridex
994013d66ae20cfa4ef1097d73481b00a672131d0de44d79a04ff12f492aae55
Dridex
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211027-y4envsgdf3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
eac5f84f57148036844ade6a207cc199ae41a56dbf11e3f7f7001378a62d40a6
MD5 hash:
3b7af87d06e8d851bde29148e587108f
SHA1 hash:
fbbd4cc87d793e3a3b669951e7920bcbe5ef5533
Link:
https://www.unpac.me/results/f663b328-ec9e-4a94-ac85-9d5545664789/
SH256 hash:
3f18194190b2ee9400c09cdea45e81a151f9787f24f200cacfc9e5fb885896fd
MD5 hash:
d18f09e3c610c0c01785bc7f5c1142f9
SHA1 hash:
267a353a4314fde5b16b59a0a622dc1f6652b766
Link:
https://www.unpac.me/results/f663b328-ec9e-4a94-ac85-9d5545664789/
SH256 hash:
1c06e49ba2ab6abd8c6d878772f3a01ab5ea69045c8eca7f6c9b154f40633629
MD5 hash:
9453a84dc0320191c92ac4568968f211
SHA1 hash:
3ba404fa11f65580f08afaba118c46c1d4b6af8e
Link:
https://www.unpac.me/results/f663b328-ec9e-4a94-ac85-9d5545664789/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c06e49ba2ab6abd8c6d878772f3a01ab5ea69045c8eca7f6c9b154f40633629

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

DLL dll 1c06e49ba2ab6abd8c6d878772f3a01ab5ea69045c8eca7f6c9b154f40633629

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200715/

Comments