MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234
SHA3-384 hash: 181dca816b0e877d800996ba6695cb63e6d4ef8bed82cfbb79edc1ab1942f68b312a01d49f0566d86006449c053dbaa2
SHA1 hash: 18f111dd31425280a1ac34639c055517bf45e13c
MD5 hash: fb8813e2dc2658ad444579bd0c38f2e6
humanhash: yankee-oven-summer-low
File name:2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234
Download: download sample
Signature Dridex
Create hunting rule
File size:524'288 bytes
First seen:2021-12-21 13:58:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5ad3b93adc2f9b7a31e634988c069f77 (85 x Dridex)
ssdeep 12288:S2cK4kV9W/k7MNKABzMyLi8E6+DnOM2Swyu9n:tkMs9
Threatray 5'738 similar samples on MalwareBazaar
TLSH T1B3B4BF92960F6767E43C32B3E8E36436AB434F280DD4BDE5BA00764F733D498649D686
Reporter thomaspatzke
Tags:dll Dridex


Avatar
blubbfiction
Dridex distributed via Log4Shell

Intelligence

File Origin
# of uploads :
1
# of downloads :
635
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Lazy-9916990-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61c1ddaa4ab5c44cbf4b8602/reports/4121d96d-772e-41b2-af2e-5aa66e461583/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6acab8b-206e-4259-b2fb-21a2eca54f19
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/910975
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543449 Sample: QntALxlxrm Startdate: 21/12/2021 Architecture: WINDOWS Score: 80 22 89.31.56.58 UNITHOST-ASNL Netherlands 2->22 24 51.159.52.196 OnlineSASFR France 2->24 26 2 other IPs or domains 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Dridex unpacked file 2->32 34 3 other signatures 2->34 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 36 Tries to delay execution (extensive OutputDebugStringW loop) 9->36 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        process6 process7 16 rundll32.exe 12->16         started        18 WerFault.exe 9 14->18         started        process8 20 WerFault.exe 23 9 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 23:52:27 UTC
File Type:
PE (Dll)
AV detection:
27 of 43 (62.79%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
2ed4c30203ad5091fac0cb694f5dca3af5a591e0de6a56a0dfb51f20ba82fbc9
Dridex
4e41e0a0750125693aeadde94e11f23f9b29a81b26b41463117bd39d19374f84
Dridex
69c083542e53579cfd344f93d7109f13a676adf4d73fa41425b3b0fa1dc702e4
Dridex
752cc527d4c57db8e25158c476c2cc059c688d68b869428f1c5fce651e47a4b2
Dridex
b3f2455dbdfadfdb76026bff37d4180f90b8dcfed7ce84043e2fcef4ae33b5e1
Dridex
e5607a5a103d6bc04f97ffdeea63ba4629a6f99d55d89d2b2047e6d61c539357
Dridex
ee14add8eb5342d6c672dbff573b0737ac4f718f06d2881f9d319e6c806db770
Dridex
+ 5'728 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22203 botnet loader
Link:
https://tria.ge/reports/211221-rad2xadfg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Malware Config
C2 Extraction:
51.159.52.196:443
134.209.247.135:6602
194.233.68.48:5228
89.31.56.58:593
Unpacked files
SH256 hash:
5f167deb180d1fffc3116099efa69eb7a377dbb8aa245c73da4c50e60a11f92f
MD5 hash:
537f0d8024c404f3c475bf9c43fbff9f
SHA1 hash:
9a560422ceacfb88a9a89968d3688c2853c03ae9
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/a37bb6c9-fd4e-472b-8a60-81f1dcf7bcaf/
SH256 hash:
d498467052b610da6fc8d59e245a1b29306dd79cb47b52991082755dfec5bf15
MD5 hash:
ffeed13e5516f419ee3985a35b282462
SHA1 hash:
fc85566576f4edac7b42e6da5eb7fb11a4bca09a
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/a37bb6c9-fd4e-472b-8a60-81f1dcf7bcaf/
Parent samples :
ee14add8eb5342d6c672dbff573b0737ac4f718f06d2881f9d319e6c806db770
b3f2455dbdfadfdb76026bff37d4180f90b8dcfed7ce84043e2fcef4ae33b5e1
4e41e0a0750125693aeadde94e11f23f9b29a81b26b41463117bd39d19374f84
e5607a5a103d6bc04f97ffdeea63ba4629a6f99d55d89d2b2047e6d61c539357
c4ac66cd26e9c6880438022aba95a5cfe87fe47ecc326c2f1d508a036476ad60
59b90c2d9f7732201c2f5498de46accdc545fe34a165bcbba4bd1fb304e3033e
8061601b31fb8b82c7f0dcf77ffbcb74a093d8e64a951cfb9d38992a4cc41913
e1dbc17cfcab4b6b14a07dde15327991d38a314c26a8464bebefb1118f16511a
d42a9de7251a976e19b8a789154d56ab4d36fa0a5dfc5af83f31847111587453
0e5c5fd9dbd9877538234f46af9f9ad2bed5561f5fda9c2de019272741d4c208
ff78059edf414a40fbc264f86c9bcf0f4fc2ae9c7291fb0cb13b250223d9a497
1aa52252a9ae1c24c9a587d84bbe8ad42ea834ecb2f5e363660d0180a0fd358b
c13443798f618fba8cbfe70c4b39e165e0d88dbcb9eaadcb8329536c13ce5e0b
c60194aa02c0f072e83d65fbbdf6cab49ba8e528443146a83685ca39739ff715
3739d6dfdd6a52951b2a44b2b1c5d0f9486c2df83b789d7e7ab76264d2d5dcde
4cfe3f30d028e7cb1eea0ee761b75ed998cd0c6d6ff4f9a802db428d0b9dda39
8187ea4c01f4820600fbfeb8c73d01550c8d87b9203ba76825911851ab68259a
27b24d442413bdb408f7d2e09f440a5fba2d5b2bf22ed2a99562c09dc3234fb3
e94952392e6d98a4263907ae825372ebda1f9208e2478efcfbdb7ae8e90c5582
e73af48a49c537f019c474c3a5f3fc8f4ae434caa9dd4126daeb476add244062
03031415064b651e65b8a83d06eca4e6a83a23854b9b504c011a02feac993dd0
493cac69ba43c4b18827da0beed872830abcffe071ce7f2c90378802196d3c45
85890ee7659c717dfbddc97ffbcd01b495d3a28c728b35cf1cd6ac1ebd306c92
f8dfd17a7ffb6fba87152b11f34ff39cbc29b8661316b9a2f95b9a28af2af9d4
4a04f52da6831a961fc09ff38561ecabdc50fb426aeb343f89454715d6b440ab
f0f8c65ff33028fffaa1b7e9e18dacd896e0b0e8a9fa6e234c719b030b9741ac
999285b1dae2c26e61557b12e3f60dc6135dfb185c0136cb1e2f441149bfea40
201a9f314f99986e881fd18233bc6c7deee7c8a92df33f27bdc8aab461934d1b
38796a89ff94fbae83d2be42eac45f980c3f0c5e1aeb11079c027827f617c04c
93efd751aa87f9bb2dc22adcf47a72f6893a27c49fe074750454d4aacd13b94c
947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb
7d27378b178f3ed92b2f7d4bf9c49e424f875a220fe762d25efb3c4d3879101f
058f651f84f6c0de11e988aeab5179d426d79c345e5fb972c752d70bccddee5c
96122fb865d9d5e150fdbd1c04240e786a3c16528cd33748464eade4ea6d9986
62a4e3d63b7df158f649060adc4a96145f4235b8258d72bb4f39241fd089e772
3bb445d4ffac94906e3a834b659d7adc1f18dc7b9c9196c38b353937f1381278
ec06ef0c5901082335a299b321f16582e6f6639c2299beefa1981eb777b34896
ae2669203764ff3bf46e5b3bd9b5582af63b9544f80114624331e07a3b03b80a
5dc64df3cca54165dc493a27a09243962a8c52c3f2a4118b24f620914f2a9f38
e308e2a2e14fda8199468628a3b5ba983f4703edfaf060eab6ceb88564acfe9b
8cd9c1725c59139cafb22e210d4cbd0e6d78c2d5ed5cddda30b173dc85950d9e
bd66f82a1667ce3dc6250690658f081f262329039c1d5e446bf8026077f07748
4230b78bf642482038b6fe2355c951c13fe8b9c97068273a5aab06356865c8e1
929ca7f836a683e65c010e190a068e6785e8dd2dade630b6006f915d3d5e9007
99b02ee3c8256eb95c745119609a976ced1d887e6475f6bd3768fb9711e75554
2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234
5b17007c41438abd1b60bc84b2f3fdacd6ce2f42c54e14f8ca97466650c1a2a3
6805b96efa556df82f22e5c3a426f9d6040949dbf0c3c6fb489c2812464aa6b6
7249ce3d04df4431c89afca3e3ffbc8e54f0cb820b6d04f602e346eb2b97210c
634e08b7594849fcd37698e668e7c3bcc8aa5af3cc1dac488bdb19c722a6bce0
f9c89d9fedc27f2af79185065a7b2b98512ed8763b50f0fbd4af59ee36ab611e
SH256 hash:
2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234
MD5 hash:
fb8813e2dc2658ad444579bd0c38f2e6
SHA1 hash:
18f111dd31425280a1ac34639c055517bf45e13c
Link:
https://www.unpac.me/results/a37bb6c9-fd4e-472b-8a60-81f1dcf7bcaf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DoppelDridex
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1902465/

Comments