MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f
SHA3-384 hash:	a602b2f961fc14758bea01de25e9428f8ce9fed0803135b4647258c693ee81b6408748ec6081512d8b9bdbea552c16cc
SHA1 hash:	a892515de044a2b718581b57abdb5df9e94120ba
MD5 hash:	26c626e9defe34e89a308aa4ac898aca
humanhash:	georgia-cup-lemon-charlie
File name:	FixKaseya.exe
Download:	download sample
Signature	Dridex Create hunting rule
File size:	172'032 bytes
First seen:	2021-07-08 18:44:27 UTC
Last seen:	2021-07-09 01:03:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e8318ff06c9300056690aa13be7e49b2 (2 x Dridex)
ssdeep	3072:IWanzQJH775FX6YhBPAzoB6AHHMTDDI22LlY2cf/Kk73:IWac1p+oBbiDI26lm
Threatray	4'564 similar samples on MalwareBazaar
TLSH	T1E3F3F134775F69E6CE4805351320A89FEE5B6792C50D3AE39E318C13EE4BB62B4B3416
Reporter	Anonymous
Tags:	Dridex exe

Anonymous

E-mail subject: "Kaseya update information about incident xxxxxxx from response team."

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FixKaseya.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-08 18:50:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e3dfb089-47ae-4839-9e06-76b62f64d63c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DridexLoader

Link:

https://www.capesandbox.com/analysis/170545/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.4188.15525.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dridex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f6e030bf-3c17-423a-9821-becd20d940d7

Result

Threat name:

Dridex

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/813709

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect virtualization through RDTSC time measurements

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Detection:

dridex

Link:

https://mwdb.cert.pl/sample/3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2021-07-08 16:33:33 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

1/5

Verdict:

malicious

Label(s):

doppeldridex

Dridex

40425542abe4fe6fe4c8fd55571bdb0b1d60cc2b2cd859bcb51a1ebfc5e76e3f

Dridex

4ec406d75588c4e395c1a5b93bf43da319684352061cf42876c704d92a52df92

Dridex

60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe

Dridex

635bda46af22563c2c46cbd6d4768f6544758876e8e8fdf859f73730dd7a4112

Dridex

9ff01c0edcf9082323a22fc225b4f2f7c9ff6d5b1f7c8d76c94da83b4c37ec25

Dridex

bf18f7795978afc865f65d3e4618289a9a2f983dcb8f554c233354cfe7ab5f52

Dridex

d7f98d07bf92683805e0ad58ff9035246409c9198659d00c7c2c3465ba3d04a4

Dridex

eced91f3ea5c7d6648f7033d82724cc7c33a3a88a051d19676a4494cf44260a2

Dridex

+ 4'554 additional samples on MalwareBazaar

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:22202 botnet evasion loader trojan

Link:

https://tria.ge/reports/210708-bjwx694yh2/

Behaviour

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

164.68.126.207:23399
150.95.20.209:3978
107.170.211.239:4664

Unpacked files

SH256 hash:

f52f275bfe954f46f8c23cd1c2e6805ebc8774d163ce3ef4acb7cd8952548c92

MD5 hash:

6f2ac1e5b0191fc469abecc85fb280a1

SHA1 hash:

76293d912f1fbd3354311e8971adb2acbf952c44

Detections:

win_doppeldridex_auto

Link:

https://www.unpac.me/results/d2b304e6-be9e-4541-a185-3664bfd64679/

SH256 hash:

3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f

MD5 hash:

26c626e9defe34e89a308aa4ac898aca

SHA1 hash:

a892515de044a2b718581b57abdb5df9e94120ba

Link:

https://www.unpac.me/results/d2b304e6-be9e-4541-a185-3664bfd64679/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DridexLoader Create hunting rule
Author:	kevoreilly
Description:	Dridex v4 dropper C2 parsing function

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_doppeldridex_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.doppeldridex.

Rule name:	win_nymaim_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.nymaim.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/170545/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample