MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
SHA3-384 hash: 52ede840b24d5f16353a0ff21934819bde9faa65c3e021985bf70de97be5ce4584f67eee94a99fd60a05182ea45a51b2
SHA1 hash: 653ab54e15b01473943cd897ded24f742b0193c5
MD5 hash: 33ca3e86d783234092e52369e1b6bb83
humanhash: indigo-skylark-salami-potato
File name:Amazon_Gift-Card.579177920.scr
Download: download sample
Signature Dridex
Create hunting rule
File size:988'643 bytes
First seen:2020-11-26 05:21:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:BY20AljdZgBPfKfQTQxAogJfqsUsz0cX0bQrGrxyvdiXACHDMq2j:W20gPgFKoTQxAVBbIcXuQ+wGAST2j
Threatray 227 similar samples on MalwareBazaar
TLSH 7C25BD31A15C7DF2EC62033588B4BBE15D69FEA42E75440EEEA135263A73283743DE52
Reporter abuse_ch
Tags:Dridex scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a recently created file
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/547704
Signature
Drops batch files with force delete cmd (self deletion)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322956 Sample: Amazon_Gift-Card.579177920.scr Startdate: 26/11/2020 Architecture: WINDOWS Score: 84 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 10 Amazon_Gift-Card.579177920.exe 3 8 2->10         started        process3 file4 43 C:\Video\config\elp.bat, ASCII 10->43 dropped 45 C:\Video\config\extraPFZ.exe, PE32 10->45 dropped 61 Drops batch files with force delete cmd (self deletion) 10->61 14 wscript.exe 1 10->14         started        signatures5 process6 process7 16 cmd.exe 2 14->16         started        process8 18 wscript.exe 1 16->18         started        20 extraPFZ.exe 5 16->20         started        23 conhost.exe 16->23         started        25 3 other processes 16->25 file9 27 cmd.exe 1 18->27         started        39 C:\Video\config\pzxrk4325.dll, PE32 20->39 dropped 41 C:\Video\config\7p.bat, ASCII 20->41 dropped process10 process11 29 regsvr32.exe 12 27->29         started        33 conhost.exe 27->33         started        35 timeout.exe 1 27->35         started        37 attrib.exe 1 27->37         started        dnsIp12 47 198.57.200.100, 3786, 49712, 49716 UNIFIEDLAYER-AS-1US United States 29->47 49 216.172.165.70, 3889, 49711, 49715 UNIFIEDLAYER-AS-1US United States 29->49 51 2 other IPs or domains 29->51 63 System process connects to network (likely due to code injection or exploit) 29->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 01:38:42 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=frqrbj3n3kg2jemvaux2kynlrobhrqbn6qabetsg2jws34riw4fq._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2aed6c38a383b9c88add24ea8479d4ecabba5c7329046e2893ddb73947691174
Dridex
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
Dridex
4b1f2c18b149fd0e878c362ffba50bb553d7bea93a795b33e398d032dc0b7663
Dridex
7359fb03e09c8416c7a967f72df483a1b60066434c9e49e0deb4b18cb11e9192
Dridex
8921b2421d4fde9e229bdda0da89a5bd10023a9f9d2529f2fb2da9c5e1a060c6
Dridex
9b939f0d1dabceba231ab0ca036818ef10a813775d9a12cfc3e854819d7a7cc3
Dridex
a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba
Dridex
eb1a0c3677f4b416e43e2c4d88a30d1f5bd4d9b00b1e0c48efef31b034465e3c
Dridex
ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df
Dridex
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
Dridex
+ 217 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion loader
Link:
https://tria.ge/reports/201126-f8mgp8k9za/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Kills process with taskkill
Modifies registry class
Loads dropped DLL
Executes dropped EXE
Sets file to hidden
Dridex Loader
Dridex
Malware Config
C2 Extraction:
194.225.58.216:443
178.254.40.132:691
216.172.165.70:3889
198.57.200.100:3786
Unpacked files
SH256 hash:
9da0e8c9f248c67e6b283849c3a972d73401f39e369c269664611783a5d8295e
MD5 hash:
062df040bf42c642b3b69f0300e046c8
SHA1 hash:
98443f0e85c48cbf2c9929d7899bd8ee433d1ec8
Link:
https://www.unpac.me/results/215305f8-e90f-4f20-8766-1c8447c324d5/
SH256 hash:
556b491aa61c7a984795fc4aeefe2e212c1e0aacb641ef85c37105e445ddb3da
MD5 hash:
e67b2ed2b8b24bea414f319d9e210857
SHA1 hash:
582e466c2e50dfdaf60f1074d4862172221e2841
Link:
https://www.unpac.me/results/215305f8-e90f-4f20-8766-1c8447c324d5/
SH256 hash:
c1b592cce67773d817f625f4a26135331585016e5cecb7f73ec127f0056a30e3
MD5 hash:
4203f581a4f4434b899e151ba8e5e8a8
SHA1 hash:
fa43f5701ffd2531969610cab886c0402b096ca8
Link:
https://www.unpac.me/results/215305f8-e90f-4f20-8766-1c8447c324d5/
SH256 hash:
2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
MD5 hash:
33ca3e86d783234092e52369e1b6bb83
SHA1 hash:
653ab54e15b01473943cd897ded24f742b0193c5
Link:
https://www.unpac.me/results/215305f8-e90f-4f20-8766-1c8447c324d5/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c6110a76dda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105585/

Comments