MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34fa8c8e97d69ecd42569b994e1933b451976958e0fb8174d6ca6483c2aef070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34fa8c8e97d69ecd42569b994e1933b451976958e0fb8174d6ca6483c2aef070
SHA3-384 hash: 002a192631aa1cb9ae4e9fa7cbe196077083bd30b8715e17317d8e2a858ed923ab672428af96226d628b737ebc28730c
SHA1 hash: 0ad88c68943cce4eb95efbbcb4597943fc8da963
MD5 hash: 281c83016993820e5d780389a781b7d6
humanhash: thirteen-single-bluebird-blossom
File name:FixUpdate.exe
Download: download sample
Signature Dridex
Create hunting rule
File size:376'832 bytes
First seen:2021-07-13 08:07:25 UTC
Last seen:2021-07-13 08:50:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d96f3d2d312f120dfdd5c29e7320d739 (4 x Dridex)
ssdeep 3072:nZNFNT6FRfCx32h/inXU09Ez4n1oXlEcTAi+0sFp/k6vP2AuTVY5yt:nZ5TGlC5UOXU0t1Ce8sFpr2AuTVU
Threatray 6'165 similar samples on MalwareBazaar
TLSH T15E8407CF84740598FD6DDF3842725C9A246F2EA6BE68F80DA914B45647B34F238E3943
Reporter JAMESWT_WT
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FixUpdate.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-12 18:03:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14fdbd22-b4d0-4ed5-b9a0-28293e180a6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171281/
Detection(s):
SecuriteInfo.com.Trojan.Dridex.776.16571.24827.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efa30f61-a0fa-40d1-a45e-35d8a061a0b4
Result
Threat name:
Dridex Dropper
Create hunting rule
Detection:
malicious
Classification:
bank.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/814994
Signature
Antivirus / Scanner detection for submitted sample
Dridex dropper found
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
dridex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34fa8c8e97d69ecd42569b994e1933b451976958e0fb8174d6ca6483c2aef070/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 15:30:41 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gt5izdux22pm2qswtomu4gjtwrizo2ky4d5yc5gwzjsihqvo6bya._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
40425542abe4fe6fe4c8fd55571bdb0b1d60cc2b2cd859bcb51a1ebfc5e76e3f
Dridex
4ec406d75588c4e395c1a5b93bf43da319684352061cf42876c704d92a52df92
Dridex
60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe
Dridex
635bda46af22563c2c46cbd6d4768f6544758876e8e8fdf859f73730dd7a4112
Dridex
9ff01c0edcf9082323a22fc225b4f2f7c9ff6d5b1f7c8d76c94da83b4c37ec25
Dridex
bf18f7795978afc865f65d3e4618289a9a2f983dcb8f554c233354cfe7ab5f52
Dridex
d7f98d07bf92683805e0ad58ff9035246409c9198659d00c7c2c3465ba3d04a4
Dridex
eced91f3ea5c7d6648f7033d82724cc7c33a3a88a051d19676a4494cf44260a2
Dridex
ff7af82c8f58c72c7a832f919c4f869c6ee8f894e8a6ba2f5c63d59f80331ea4
Dridex
+ 6'155 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22201 botnet evasion loader trojan
Link:
https://tria.ge/reports/210713-estm9638s6/
Behaviour
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
191.252.184.113:443
107.170.64.97:9043
212.227.94.31:10172
Unpacked files
SH256 hash:
3e4cd21933c2665112fbbb8c4973c9189edaac890e1d16e6dbdff3679c7e618c
MD5 hash:
d05d3fb66ff75e6850cd47150a402d97
SHA1 hash:
2cfe7f4d46fa832bb7dea92b613136e079752e97
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/f0e02cf5-9072-4906-8264-f3d51ecf7f93/
SH256 hash:
34fa8c8e97d69ecd42569b994e1933b451976958e0fb8174d6ca6483c2aef070
MD5 hash:
281c83016993820e5d780389a781b7d6
SHA1 hash:
0ad88c68943cce4eb95efbbcb4597943fc8da963
Link:
https://www.unpac.me/results/f0e02cf5-9072-4906-8264-f3d51ecf7f93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34fa8c8e97d69ecd42569b994e1933b451976958e0fb8174d6ca6483c2aef070

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe 34fa8c8e97d69ecd42569b994e1933b451976958e0fb8174d6ca6483c2aef070

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/171281/
  
URLhaus
https://urlhaus.abuse.ch/url/1449886/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1449887/
  
URLhaus
https://urlhaus.abuse.ch/url/1449888/
  
URLhaus
https://urlhaus.abuse.ch/url/1449889/

Comments