MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1
SHA3-384 hash: a92c471b86c6be198b3af0f75f5b03b4a396c912bef654c16506149840f809a6b5223cae43893ef9afdd81284c378ec6
SHA1 hash: 1239384045ed93a2932c66bce075858584b171c1
MD5 hash: 67de209a26b0392ec68f1acadfcd3b8c
humanhash: virginia-robert-network-burger
File name:4vkqo.dll
Download: download sample
Signature Dridex
Create hunting rule
File size:241'664 bytes
First seen:2021-01-21 11:26:18 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 7df9dbed14147558d9c2b16fc9eecc49 (5 x Dridex)
ssdeep 6144:b+4V3yyQTz8ITeRDZSw3D2Fsd1u/6mv5/dC:qciyQTdT+swTgt/6c/dC
Threatray 159 similar samples on MalwareBazaar
TLSH 6D34BF803797851BE26217B8317AE5F81138FE4067B1CF253A60716F1EB69A0593FBB4
Reporter JAMESWT_WT
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113268/
Detection(s):
SecuriteInfo.com.Generic.mg.16a37a19c2db0cf2.14628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/587159
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342602 Sample: 4vkqo.dll Startdate: 21/01/2021 Architecture: WINDOWS Score: 52 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 6 loaddll32.exe 1 2->6         started        process3 process4 8 WerFault.exe 3 9 6->8         started        10 WerFault.exe 3 9 6->10         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-01-21 11:26:34 UTC
File Type:
PE (Dll)
Extracted files:
69
AV detection:
31 of 46 (67.39%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2cb94e38a1930e97de56e8a310155f8b98f4effa7ffd5e3553bec6f5f9539fb2
Dridex
39a05f74f92f6552734c04faebde326200f02f60b5c10a1062195a04ab94da8d
Dridex
5e55bed21d40097b28a4e7eeb0cfbd128c5518b60ba9453bd6ffd7f3d2743114
Dridex
6dd691de8fde45048114ef90b481ca7160fe39ab182e727b073f3fda3e2f3259
Dridex
88813cbb3272347ca08a88e9ce1064bfdaf317d564c8c22c377f18a6e6fa2618
Dridex
a81a824a4030808e0998064a90a4905fa87808e46f75c0c8d38a8f771a0d3288
Dridex
ac0e2a63a741fe311d13210f830d6995ade78652b6705420d1c382cd8a825eab
Dridex
b1c5f8455b82ed52709846267e516590c9e97019fe406691eb5b100e45e3bd78
Dridex
eac020aa33b9585b92e202a58b1924b1b628a7cad2d39236b423110c221fa481
Dridex
f6958b6419aa600cedccb269ab7727319c7bab43bf0a99f5e2a3e9e2565b27e0
Dridex
+ 149 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet discovery evasion loader trojan
Link:
https://tria.ge/reports/210121-2mqyqnrgwa/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blocklisted process makes network request
Dridex Loader
Dridex
Malware Config
C2 Extraction:
77.220.64.40:443
8.4.9.152:3786
185.246.87.202:3098
Unpacked files
SH256 hash:
56a59226904cbdb2662e2180b4e879b659856675d7d27503a37a94f9ea35ff14
MD5 hash:
4a5ff3ec180cea9849c69997d4bc21dd
SHA1 hash:
286f2e17cb28caabf9db8ecfcc1b41ced6107ffb
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/6bc3a496-c6be-4c63-a7a5-6538e8676f10/
Parent samples :
f6958b6419aa600cedccb269ab7727319c7bab43bf0a99f5e2a3e9e2565b27e0
39a05f74f92f6552734c04faebde326200f02f60b5c10a1062195a04ab94da8d
538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1
75696d0d13749306f8dbb5818e181ea2093e166189b480b3c58c4ceb8770d064
SH256 hash:
fdbda476e79e7dac8b899f09631765701e71541a3ed1165df414475945fb15d9
MD5 hash:
715de7c9ee1c26dc57e7cd7989e1b707
SHA1 hash:
f67a5adbf88fa4d9845860b648036e1454d3806a
Link:
https://www.unpac.me/results/6bc3a496-c6be-4c63-a7a5-6538e8676f10/
SH256 hash:
538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1
MD5 hash:
67de209a26b0392ec68f1acadfcd3b8c
SHA1 hash:
1239384045ed93a2932c66bce075858584b171c1
Link:
https://www.unpac.me/results/6bc3a496-c6be-4c63-a7a5-6538e8676f10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dridex
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113268/

Comments