MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4163fd41ce3f6c254a2158ec1b7a10a92f4772fbd529e66ad7ac183ba928931f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4163fd41ce3f6c254a2158ec1b7a10a92f4772fbd529e66ad7ac183ba928931f
SHA3-384 hash: c12f67f415a6e2ee21eb1dfa3348b66c92d9e1d78c8bf0bc4b64a8a91a717e22a20e8ae704736cc22caad9e322e6c149
SHA1 hash: 4ac985d7a11c0b665e4a92039bab02cb511a4778
MD5 hash: d232c8c0120e0b2a54b59a4acdef21cf
humanhash: chicken-april-monkey-golf
File name:Transaction_1321.xll
Download: download sample
Signature Dridex
Create hunting rule
File size:656'896 bytes
First seen:2021-12-14 16:43:22 UTC
Last seen:2021-12-14 18:45:11 UTC
File type:Excel file xll
MIME type:application/x-dosexec
imphash 8c8bba54a9dc287053536e212411cdac (12 x Dridex)
ssdeep 12288:MHB8k2IlwP0iruRPlOF8bzbBSreIN91KVWf9pam:a8mO2X1MmgO
Threatray 8 similar samples on MalwareBazaar
TLSH T175D46C56BEC6AEA2EF7F51B7C360EA391156736D03A09ACF760305993915FD2403EA03
Reporter cocaman
Tags:Dridex xll


Avatar
cocaman
Malicious email (T1566.001)
From: ""telegram-mainserv0.live" <info@telegram-mainserv0.live>" (likely spoofed)
Received: "from mail.telegram-mainserv0.live (unknown [192.162.246.99]) "
Date: "Tue, 14 Dec 2021 19:14:43 +0300"
Subject: "Transaction Proceeded"
Attachment: "Transaction_1321.xll"

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transaction_1321.xll
Verdict:
No threats detected
Analysis date:
2021-12-14 16:48:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/300ddc91-1e03-4a1d-ae86-272cb1fab74b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Convagent.ac.29125.22176.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/4163fd41ce3f6c254a2158ec1b7a10a92f4772fbd529e66ad7ac183ba928931f/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/61b8c9d98a1c0aab6a87edaa/reports/ab126152-8189-49c9-8b0b-e5a6db29b2c7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4163fd41ce3f6c254a2158ec1b7a10a92f4772fbd529e66ad7ac183ba928931f/
Threat name:
ByteCode-MSIL.Downloader.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 15:10:24 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
17 of 45 (37.78%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifr72qooh5wcksrbldwbw6qqvexuo4x32uu6m2wxvqmdxkjismpq._file
Verdict:
unknown
Similar samples:
456b0fd1d64450963bfcce17ef195ec97ae8e2c142bb2b598e32f63b671e6e2d
Dridex
734829ac3ed2dd05ee416c3f82290b9ebc16c7765b8410917e3b2bc44bda7ee1
Dridex
7ed6f514c14770cf4f2d9957b94c3e6891f31580aa9b38594374cc1362bc88a5
Dridex
addfb11101c682ba3c575961f9c5bbc12d050f7e473509e3767b4b8a2a6b88a9
Dridex
ae2ee9f58ee2c27d739190e1176d8898a49ddac0c36e392115f12309ac07e63a
Dridex
b2cdcf185c0f0f8049e02f4b8c54c4dbdae4baa4dc4ddc6e1de5e76645cc17f3
Dridex
ecced63b75f7967f2ec05955217d6e30bb45cb0dc7d620213defacf33174e953
Dridex
f7f572445d6dfcc947f3f9532206997a12f0a894e97c75785a9db34f16462028
Dridex
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211214-t8tlcshbbk/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4163fd41ce3f6c254a2158ec1b7a10a92f4772fbd529e66ad7ac183ba928931f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xll 4163fd41ce3f6c254a2158ec1b7a10a92f4772fbd529e66ad7ac183ba928931f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments