MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c6054b564bc7c113d19d7604baafcd4b23824ecb34f8575e05458b9b1e46063. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c6054b564bc7c113d19d7604baafcd4b23824ecb34f8575e05458b9b1e46063
SHA3-384 hash: a19c1fe4445181b7f12a79de3b92950fa05728a9d4976f8bc1f978014605d6ce174b007ff2dc2e17f354ea526800788f
SHA1 hash: 5098c7fdfb3f77d0953a30bc49454e75a9797b7e
MD5 hash: 0bb912ed0fe0f0df1b227dcbd80e61f1
humanhash: arizona-harry-foxtrot-alaska
File name:fprl.exe
Download: download sample
Signature Dridex
Create hunting rule
File size:221'184 bytes
First seen:2020-03-26 19:23:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92c924c24df0e35b6e1181ef84120afd (2 x Dridex)
ssdeep 6144:v+sm5cj/3bzB/6b/ncBTSIYJHOxS5RuvsN3vC5V64Gd7:vNycjfp/IncBT7YJvuv63vC
Threatray 122 similar samples on MalwareBazaar
TLSH 2D24E07027FBD648F5F54B780AB6EBC26A367D50DA71C91E9F024A9F4475A00EC24B13
Reporter abuse_ch
Tags:Dridex exe


Avatar
abuse_ch
Dridex malspam, various senders and subjects. XLS->download->exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.224e0c5a6e94688d.13659.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-03-26 19:35:41 UTC
File Type:
PE (Exe)
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrqfjnlexr6bcpiz25qexkx42szdqjhmwnhyk5pakrmltmpembrq._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
0b02474d4fc4a2d7d4b43562c4b8532e9880941610be7a955ce740fd6f959ac9
Dridex
10d2dca371bee5330d7ebcd022dbd1baddd3dc8ed4b3b602ce1efe333f79b9c9
Dridex
17c66a318f48ef5531387fcae08b532e68e7553a8068ae2e37054d5da704645b
Dridex
41a3586da1ade6096a5d254c93d071ed5bdd702ddbff61b5db3473495de412e6
Dridex
4d7fd7d58f0bbd4318dfad6767b1046a25f9fc2915ca41b4763be74da56683a5
Dridex
5528a39d6f2ca52ad81f936c75e2036cb91d0e88824f7a5abd67a601314b66bb
Dridex
73849ce478a894f10589cc31aece7dcb8a39c1c43a4a5c401b2dae86b53bb9c7
Dridex
c8cca37f43f4aa66b4bfbf811931c57971d2f1571cfebbb7d24235c07e108f26
Dridex
d18d211cf75fbc048d785af92b76a1aa7a01e381313b1a5e66e9cf564cbe78d4
Dridex
d3d026f833f38db4e9c43dd3b7371c3826e39d16ed6c0dfd69301584c6ac4783
Dridex
+ 112 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dridex_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe 3c6054b564bc7c113d19d7604baafcd4b23824ecb34f8575e05458b9b1e46063

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/330533/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/330426/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaAVIFIL32.dll::AVIStreamStart
WINMM.dll::midiOutGetDevCapsW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle

Comments


Avatar
commented on 2020-03-26 19:38:28 UTC

Dridex C2s:
107.161.30.122:8443
219.94.242.134:1443
185.234.52.181:443