MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b63a9fe241e899a5e6723176d3a7b96c41294ace29d70b8deebf386bafdfb62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	4b63a9fe241e899a5e6723176d3a7b96c41294ace29d70b8deebf386bafdfb62
SHA3-384 hash:	6e1ea1939f531986564145655f59eeb40fdb743d8536049ce422b84e7d391b99e5ca270eefe72c669fee7f6ccfee2dc4
SHA1 hash:	7106ecbdebd34ec4ad2b44a645164152a19c1148
MD5 hash:	1b30846f1a47ce9da57676ba4878141c
humanhash:	green-quiet-happy-north
File name:	FixTool2.exe
Download:	download sample
Signature	Dridex Create hunting rule
File size:	376'832 bytes
First seen:	2021-07-13 13:28:59 UTC
Last seen:	2021-07-13 14:48:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d96f3d2d312f120dfdd5c29e7320d739 (4 x Dridex)
ssdeep	3072:UZNFNT6FRfCx32h/inXU09EDln1oXlEcTAi+0sJp/k6vP2AuTVY5yt:UZ5TGlC5UOXU0s1Ce8sJpr2AuTVU
Threatray	6'168 similar samples on MalwareBazaar
TLSH	T17A8417CF84740598FD6DDF3802725C9A246F2EA6BE68F80DA914B45647B34F238E3943
Reporter	Anonymous
Tags:	Dridex exe

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FixTool2.exe

Verdict:

No threats detected

Analysis date:

2021-07-13 13:33:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e3a28e26-195f-45c0-bf93-d1507cc178d7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DridexV4

Link:

https://www.capesandbox.com/analysis/171436/

Detection(s):

SecuriteInfo.com.Trojan.Dridex.776.28292.10480.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dridex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/64bd6e46-0b49-4398-806d-edec1c9259f0

Result

Threat name:

Dridex Dropper

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/815629

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Dridex dropper found

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect virtualization through RDTSC time measurements

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Detection:

dridex

Link:

https://mwdb.cert.pl/sample/4b63a9fe241e899a5e6723176d3a7b96c41294ace29d70b8deebf386bafdfb62/

Threat name:

Win32.Backdoor.CobaltStrike

Status:

Malicious

First seen:

2021-07-12 15:30:40 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jnr2t7red2ezuxthemlw2ot3s3cbfffm4koxbog65pzynox57nra._file

Verdict:

malicious

Label(s):

doppeldridex

dridex

Dridex

40425542abe4fe6fe4c8fd55571bdb0b1d60cc2b2cd859bcb51a1ebfc5e76e3f

Dridex

4ec406d75588c4e395c1a5b93bf43da319684352061cf42876c704d92a52df92

Dridex

60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe

Dridex

635bda46af22563c2c46cbd6d4768f6544758876e8e8fdf859f73730dd7a4112

Dridex

9ff01c0edcf9082323a22fc225b4f2f7c9ff6d5b1f7c8d76c94da83b4c37ec25

Dridex

bf18f7795978afc865f65d3e4618289a9a2f983dcb8f554c233354cfe7ab5f52

Dridex

eced91f3ea5c7d6648f7033d82724cc7c33a3a88a051d19676a4494cf44260a2

Dridex

ff7af82c8f58c72c7a832f919c4f869c6ee8f894e8a6ba2f5c63d59f80331ea4

Dridex

+ 6'158 additional samples on MalwareBazaar

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:22201 botnet evasion loader trojan

Link:

https://tria.ge/reports/210713-5nf4nwfts2/

Behaviour

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

191.252.184.113:443
107.170.64.97:9043
212.227.94.31:10172

Unpacked files

SH256 hash:

9627b46d8213e3619e2553cb40710d73b92f67d783ca73c209aa4be290ff6df0

MD5 hash:

49b34555c0585daeb5d23facc2bd88e5

SHA1 hash:

ddf8e966db5d5f23f69ab73766357c8f69af65f5

Detections:

win_doppeldridex_auto

Link:

https://www.unpac.me/results/ec6f79aa-c7ba-4a8e-953b-f96bddd7a098/

SH256 hash:

4b63a9fe241e899a5e6723176d3a7b96c41294ace29d70b8deebf386bafdfb62

MD5 hash:

1b30846f1a47ce9da57676ba4878141c

SHA1 hash:

7106ecbdebd34ec4ad2b44a645164152a19c1148

Link:

https://www.unpac.me/results/ec6f79aa-c7ba-4a8e-953b-f96bddd7a098/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b63a9fe241e899a5e6723176d3a7b96c41294ace29d70b8deebf386bafdfb62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DridexLoader Create hunting rule
Author:	kevoreilly
Description:	Dridex v4 dropper C2 parsing function

Rule name:	DridexV4 Create hunting rule
Author:	kevoreilly
Description:	Dridex v4 Payload

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_doppeldridex_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.doppeldridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/171436/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample