MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50df8be8a37f5f41e2ff36a747dd5e372b400444673d8359fc64a48786526624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	50df8be8a37f5f41e2ff36a747dd5e372b400444673d8359fc64a48786526624
SHA3-384 hash:	7ac49df05345fd13e4996a50bbdf7730aa843b7ff10955b8f3e20d6f3fbf1fc587647ea0e15e72aac5a922f5a26cfa80
SHA1 hash:	869854919007c3f0c2774510996c49fc826701c2
MD5 hash:	a5a2a0ac915966ab32b9e9f695126a52
humanhash:	cup-magazine-papa-crazy
File name:	cym4u.exe
Download:	download sample
Signature	Dridex Create hunting rule
File size:	1'327'616 bytes
First seen:	2021-04-11 02:57:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b9d809d7892afbdc1bec995d79f9b3a7 (1 x Dridex)
ssdeep	24576:UEyuelNHvbyVfbWWbyHjaSabybbybvkbleb:/EhEk
TLSH	3355D043AE454661D03A0471579FE7FEC66D2E680B08899672E0FF5734B31E3A60B72B
Reporter	nao_sec
Tags:	Dridex RigEK

Intelligence

File Origin

# of uploads :

# of downloads :

363

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://ankltrafficexit.xyz/trafficexit

Verdict:

Malicious activity

Analysis date:

2021-04-11 02:45:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0459bcfe-39b2-47c6-98db-5800e371a804

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DridexLoader

Link:

https://www.capesandbox.com/analysis/133521/

Detection(s):

Win.Malware.Generickdz-9851247-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Dridex

Detection:

malicious

Classification:

bank.troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/672124

Signature

C2 URLs / IPs found in malware configuration

Detected Dridex e-Banking trojan

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50df8be8a37f5f41e2ff36a747dd5e372b400444673d8359fc64a48786526624/

Threat name:

Win32.Infostealer.Dridex

Status:

Malicious

First seen:

2021-04-11 02:58:07 UTC

AV detection:

22 of 48 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kdpyx2fdp5pudyx7g2tupxk6g4vuabcem46ygwp4mssipbssmysa._file

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:10111 botnet discovery evasion loader trojan

Link:

https://tria.ge/reports/210411-6trz536abx/

Behaviour

Checks installed software on the system

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

131.100.24.231:443
188.165.17.91:8443
185.148.169.10:2303

Unpacked files

SH256 hash:

0143b35adf6c4d89123e12d5b0feea4f41ed38b7a1e84e532ee6d65a6c0b9e33

MD5 hash:

715ea5bfe5c0df53a1996dbe2d0b97e1

SHA1 hash:

5e341b83ecfe716f48490ed10ea2606e6083bc4a

Link:

https://www.unpac.me/results/6f0e1328-db97-4e4c-bff6-0c27b7d85e4d/

SH256 hash:

50df8be8a37f5f41e2ff36a747dd5e372b400444673d8359fc64a48786526624

MD5 hash:

a5a2a0ac915966ab32b9e9f695126a52

SHA1 hash:

869854919007c3f0c2774510996c49fc826701c2

Link:

https://www.unpac.me/results/6f0e1328-db97-4e4c-bff6-0c27b7d85e4d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/50df8be8a37f5f41e2ff36a747dd5e372b400444673d8359fc64a48786526624

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DridexLoader Create hunting rule
Author:	kevoreilly
Description:	Dridex v4 dropper C2 parsing function

Rule name:	win_dridex_loader_v2 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/nao_sec/status/1381077887172759555

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/133521/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample