MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c3f402651ec7acc0f84753b8a3913ec5b9abb7e0350fe4c88fce7b3ed364ec0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c3f402651ec7acc0f84753b8a3913ec5b9abb7e0350fe4c88fce7b3ed364ec0
SHA3-384 hash: 6c734f5e6e907b0d698d43526cfdf8b91b54950f5acc93522c655034a1393f9fb194c97816ca73330520ee66d5c23326
SHA1 hash: 048f6ff1044ecd925654b86f8dbcc62a500691e0
MD5 hash: eb663da7d960ab7736290075b46998ef
humanhash: foxtrot-michigan-uncle-lake
File name:eb663da7d960ab7736290075b46998ef.dll
Download: download sample
Signature Dridex
Create hunting rule
File size:618'496 bytes
First seen:2021-10-13 14:19:13 UTC
Last seen:2021-10-13 16:20:54 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a5fbb54a2d8e086b0b1f07a086b817fc (2 x Dridex)
ssdeep 12288:MuIBRuwMtjp4CqwqyaXPLAfx38TW9DiWUT2tq017JGoLbfW/:Dbb4wqyaDA5sTWiXT2tq07G2S/
Threatray 867 similar samples on MalwareBazaar
TLSH T13BD4F8013A54E821E7E955B6CF2AC6E85B183D49EFB0A4C778E17F0F2AA94F3D215305
Reporter abuse_ch
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197250/
Detection(s):
SecuriteInfo.com.generic.ml.15489.28302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6166eb181c2d58ba7404d83c/reports/e2fac590-c724-4bc9-ac1b-7bcf436e5e52/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2bd32cc-614f-46eb-b5b8-5e195b162204
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/869702
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Dridex e-Banking trojan
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502134 Sample: A76JJinZL9.dll Startdate: 13/10/2021 Architecture: WINDOWS Score: 88 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Dridex unpacked file 2->36 38 2 other signatures 2->38 7 loaddll32.exe 13 2->7         started        process3 dnsIp4 28 69.64.50.41, 49724, 49725, 49730 AS-30083-GO-DADDY-COM-LLCUS United States 7->28 30 192.168.2.1 unknown unknown 7->30 42 Detected Dridex e-Banking trojan 7->42 11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 20 rundll32.exe 12 11->20         started        44 Detected Dridex e-Banking trojan 13->44 process8 dnsIp9 24 174.128.245.202, 443, 49714, 49715 ST-BGPUS United States 20->24 26 51.83.3.52, 13786, 49719, 49720 OVHFR France 20->26 40 System process connects to network (likely due to code injection or exploit) 20->40 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c3f402651ec7acc0f84753b8a3913ec5b9abb7e0350fe4c88fce7b3ed364ec0/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 14:20:10 UTC
AV detection:
4 of 44 (9.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dq7uajsr5r5myd4eou5yuoit5rnzvo36anip4tei7tt3h3jwj3aa._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
gozi
Create hunting rule
Similar samples:
022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c
Dridex
04622665ec1dccb6fabcd0d62b24747bb650aa6964a84a966a633066c840d379
Dridex
3fd6a0b667270f85b4d929748b6b32d1ecb65d01fc0e3cec4bbc025452530f07
Dridex
88a94091ec39cf0fcb60f326e81f2a12ac40c6f41072f04dd0088d9c435e2d31
Dridex
9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac
Dridex
a2c1142a25a5081b3ead3280a8f4405d5781032e556904a66196f2c7a3d27268
Dridex
a6c8e854f7c30f6390c39a1cea1393b949331a1b17b455dedd05fd7c92c7ff90
Dridex
b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d
Dridex
c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82
Dridex
f97357d8db0ae59cafa51ca6bbae3356dd92311607e0b3192404969f4ff3f860
Dridex
+ 857 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10444 botnet discovery evasion trojan
Link:
https://tria.ge/reports/211013-rnfsnaeda5/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blocklisted process makes network request
Dridex
Malware Config
C2 Extraction:
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Unpacked files
SH256 hash:
892dee957ed260d144b4874b4b8b9281234bf233c6896661badc8a6be0baf31b
MD5 hash:
96d963bdf21f70dca8a919377994ffd6
SHA1 hash:
329f8bb0bcff93093e83b70baf1b0c295fbafd2a
Link:
https://www.unpac.me/results/183c58cb-0485-4872-89e8-126734219658/
SH256 hash:
1c3f402651ec7acc0f84753b8a3913ec5b9abb7e0350fe4c88fce7b3ed364ec0
MD5 hash:
eb663da7d960ab7736290075b46998ef
SHA1 hash:
048f6ff1044ecd925654b86f8dbcc62a500691e0
Link:
https://www.unpac.me/results/183c58cb-0485-4872-89e8-126734219658/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c3f402651ec7acc0f84753b8a3913ec5b9abb7e0350fe4c88fce7b3ed364ec0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 1c3f402651ec7acc0f84753b8a3913ec5b9abb7e0350fe4c88fce7b3ed364ec0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/197250/
  
URLhaus
https://urlhaus.abuse.ch/url/1673975/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1673986/
  
URLhaus
https://urlhaus.abuse.ch/url/1673991/
  
URLhaus
https://urlhaus.abuse.ch/url/1673993/
  
URLhaus
https://urlhaus.abuse.ch/url/1673995/
  
URLhaus
https://urlhaus.abuse.ch/url/1674000/
  
URLhaus
https://urlhaus.abuse.ch/url/1674014/
  
URLhaus
https://urlhaus.abuse.ch/url/1674032/
  
URLhaus
https://urlhaus.abuse.ch/url/1674079/
  
URLhaus
https://urlhaus.abuse.ch/url/1674087/
  
URLhaus
https://urlhaus.abuse.ch/url/1674100/

Comments