MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f236ee5708cdb3437caaa0a3acaf44b50fb219604790935b38062ad81442c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f236ee5708cdb3437caaa0a3acaf44b50fb219604790935b38062ad81442c7f
SHA3-384 hash: 4648a9d84b3a7fa879989395ed600c01fc8ca9cfbe0da35f15fb41ca3619974e67da7e3d05aa3eec4f603baa2ef7cc0b
SHA1 hash: 95c090ed4247818b2ad7b98487db568c0a7e8fba
MD5 hash: b603398dcd0ea6b93d915db568c1ed15
humanhash: white-batman-high-jig
File name:b603398dcd0ea6b93d915db568c1ed15
Download: download sample
Signature Dridex
Create hunting rule
File size:178'176 bytes
First seen:2021-07-28 17:24:47 UTC
Last seen:2021-07-28 17:47:01 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash de31dd75abe38332ca3d0df9db913835 (11 x Dridex)
ssdeep 3072:roloRLWS5rOfQ326KRrXV2h2+lMNnTZuFw7Qz+Bf1QmeQmuv5K0N+VbU:sloRLW1m27rXVs2+SNnTZrUz+B9vprXN
Threatray 4'692 similar samples on MalwareBazaar
TLSH T1FA04DF41CB931A8EF543E57CC66AA63E745C2D128E37CC5EC584C11EFCA3D69E81A293
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174745/
Detection(s):
SecuriteInfo.com.Variant.Graftor.972930.16370.23825.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74011b10-8a7c-440b-9814-438ff158561a
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/823257
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found PHP interpreter
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455668 Sample: Ytd1z94uBY Startdate: 28/07/2021 Architecture: WINDOWS Score: 76 17 104.248.178.90 DIGITALOCEAN-ASNUS United States 2->17 19 173.212.243.155 CONTABODE Germany 2->19 21 46.55.222.10 BALCHIKNETBG Bulgaria 2->21 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Dridex unpacked file 2->27 29 3 other signatures 2->29 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        process6 13 rundll32.exe 11->13         started        process7 15 WerFault.exe 20 9 13->15         started       
Gathering data
Threat name:
Win32.Trojan.Drixed
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 14:40:59 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4rw5zlqrtntin6kvifdvsxujnipwimwar4qsnntqbrk3akefr7q._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
0e1e2a815d6d5cd7b3865c0288334379c21b6153a0cba7b14943d5df9affa48f
Dridex
36330ee3c38ae53b19a77429e8b13c005735c93b764c0c195ee8fa5da8668017
Dridex
4bd474b1f615fc768411667af9008bca632bce598f02c565634cb49b4aa7e845
Dridex
4fc754bd7957493e0b8e127e22cb4599f9ad57d8a581087cd697ae9ee90e6d55
Dridex
6ca95953e88828830e9cdecb6f56a1139d7678b3d2bf2c2e32c27ee01cece84e
Dridex
9f1ca49e69173b3b5df37bbb48f17ce6ad857f4acbb0261f3306c9b1d2232d19
Dridex
ac3cc428096079fe4572b77a4382eb28b48f7d30279adce3ba69a51f42fe1bd4
Dridex
bb4a151f638da83fe1a229954eb038e17f97be84d721dc491927ad3e689b33f7
Dridex
deafe5f21f9d2670d395d2a729667818519646eaf443b344de4134c2bb35ca16
Dridex
ef08eafe517a3af06bb806865de42aac88231aac2e1462fa5b44b0db7231cf28
Dridex
+ 4'682 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22202 botnet loader
Link:
https://tria.ge/reports/210728-9kr465xvk2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Malware Config
C2 Extraction:
46.55.222.10:443
104.248.178.90:4664
173.212.243.155:7002
Unpacked files
SH256 hash:
e9a1eb799cc1d7f02fc2f502d43dfaf15832687ed6d2b0db4b549bd8a9c8d89c
MD5 hash:
5c8cf3656ef1f34f31dba18eaabcc688
SHA1 hash:
c1a76725c9f390adf8f4ecd7b3e5cd5a2e14c344
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae1fa3ed-28c0-4f30-8bc0-8b9d4a0e994e/
Parent samples :
4bd474b1f615fc768411667af9008bca632bce598f02c565634cb49b4aa7e845
0e1e2a815d6d5cd7b3865c0288334379c21b6153a0cba7b14943d5df9affa48f
bb4a151f638da83fe1a229954eb038e17f97be84d721dc491927ad3e689b33f7
36330ee3c38ae53b19a77429e8b13c005735c93b764c0c195ee8fa5da8668017
deafe5f21f9d2670d395d2a729667818519646eaf443b344de4134c2bb35ca16
4f236ee5708cdb3437caaa0a3acaf44b50fb219604790935b38062ad81442c7f
eaf5792174c7bf56b1c8c9a4dce16b164b480e92c75260d5a2394101a3ba7765
18212cfa287efab4d07f3566ff0dcab8e74c180f26289dedbac2ec96705746a5
96396c7355d06982ab80daabeabf43c8ee81cd47e0b3269f9a9df1f48024297d
3c6e2c29392c5331736bf9a0d4f109f272a2fc00156c3f9dc4996f8f55dbcd2a
a0dce56519e9005045f514f5f42c773b1cb44109c77693da9c6a092cae6395ed
SH256 hash:
983e19aa066456af84ee6c540e3953be35ba96109a8a51560329d1f6ee0e1671
MD5 hash:
1889c02b721229dc95ed86d4e25193ee
SHA1 hash:
59da876c87537f8581641aa08164bde38f659a68
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae1fa3ed-28c0-4f30-8bc0-8b9d4a0e994e/
SH256 hash:
4f236ee5708cdb3437caaa0a3acaf44b50fb219604790935b38062ad81442c7f
MD5 hash:
b603398dcd0ea6b93d915db568c1ed15
SHA1 hash:
95c090ed4247818b2ad7b98487db568c0a7e8fba
Link:
https://www.unpac.me/results/ae1fa3ed-28c0-4f30-8bc0-8b9d4a0e994e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/4f236ee5708cdb3437caaa0a3acaf44b50fb219604790935b38062ad81442c7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLLLoader
Create hunting rule
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.dridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 4f236ee5708cdb3437caaa0a3acaf44b50fb219604790935b38062ad81442c7f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174745/
  
URLhaus
https://urlhaus.abuse.ch/url/1487809/
  
URLhaus
https://urlhaus.abuse.ch/url/1487920/
  
URLhaus
https://urlhaus.abuse.ch/url/1487822/
  
URLhaus
https://urlhaus.abuse.ch/url/1487868/
  
URLhaus
https://urlhaus.abuse.ch/url/1489216/
  
URLhaus
https://urlhaus.abuse.ch/url/1489217/

Comments


Avatar
zbet commented on 2021-07-28 17:24:48 UTC

url : hxxp://docusignupdates.com:8088/templates/avatar_nwtd.png