MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54b2b42cfab413b5c0179cd0462ff75cb945805aa2044a36f63752798c1d71f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54b2b42cfab413b5c0179cd0462ff75cb945805aa2044a36f63752798c1d71f7
SHA3-384 hash: dc357a6b32ccc3cd38416eb7990683cb1b1fabcb5399a6de4f599f8a24ee0fb48d793da20c5b2fb87d680be6da3e387f
SHA1 hash: c18a148451e9f69bfcfa7c026e66ae24e8231a46
MD5 hash: 2f3ff63a50e61d59068a54428b0f3fc9
humanhash: music-happy-yankee-yellow
File name:0c6500a29a648b98357a6485c2096f48
Download: download sample
Signature Dridex
Create hunting rule
File size:835'584 bytes
First seen:2020-11-17 12:28:08 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5e92f32f651506f0575c80a2bef24448 (90 x Dridex)
ssdeep 12288:TrcppXZ0b0exu8aDuoQ90sHd1ToS9YdfecpC/x5jMlJQbB9WMuuLqa8EmyCg:vwE0cu8aiT9hd1T34WckJuzOf8Emy7
Threatray 120 similar samples on MalwareBazaar
TLSH E905E02372FFCB39D2BAE6B0EAFBB525281CBD01C82AC585A026D107965057453B573F
Reporter seifreed
Tags:Dridex

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Generickdz-9772324-0
Create hunting rule

Win.Packed.Bulz-9775572-0
Create hunting rule

Win.Malware.Bankerx-9787378-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Creating a window
Changing a file
Forced system process termination
DNS request
Sending a custom TCP request
Forced shutdown of a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54b2b42cfab413b5c0179cd0462ff75cb945805aa2044a36f63752798c1d71f7/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 12:31:49 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kszlilh2wqj3lqaxttieml7xls4ulac2uiceunxwg5jhtda5oh3q._file
Verdict:
suspicious
Similar samples:
0a96a02b8a433bf8ed581d80dcb01829fe82ce1689d5ff1daeff1c475bd691bc
Dridex
0b8b45d5ce44f29662be3a9e42319df193e72f5f0d90dc07c0e3bba44e008a8a
Dridex
3ae73ef113e6e500f693fbf73643f6e4527c4c1e23fbf94237ad496d8129220d
Dridex
8f943ece40bec594277ada362671db24a94671dfd92f57ba5dc9d13cf6d3ff68
Dridex
a1d4e604fc4b08540cbf009e443bc58b561622bf8cb01385e9d4b408a6c3ede7
Dridex
b6452ecece1b26801d2fe53e1c90cb78f5f386eb1ff49ec4f0f283648b2cca9d
Dridex
c5b892af260a8940a9a0edca6d5b0c8876d77024f7e379225071cf574925fcb1
Dridex
f04fe7a54346132d9cb140451f3b8252eed6e18ebde9f5d7cc35e1fbffd0fe8c
Dridex
f106429110d7d86cdd391ff4996a39dc961867dc0b83b3961b481de4e9e21912
Dridex
f60cd98a4336fe0aa9bbb4659676b1be2a9d7fcfc2dfc5ccea2a367abb7a1969
Dridex
+ 110 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion loader persistence trojan
Link:
https://tria.ge/reports/201117-x3kvlaflcj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Checks whether UAC is enabled
Enumerates connected drives
Modifies Installed Components in the registry
Dridex Loader
Dridex
Unpacked files
SH256 hash:
54b2b42cfab413b5c0179cd0462ff75cb945805aa2044a36f63752798c1d71f7
MD5 hash:
2f3ff63a50e61d59068a54428b0f3fc9
SHA1 hash:
c18a148451e9f69bfcfa7c026e66ae24e8231a46
Link:
https://www.unpac.me/results/0f08b7fc-4165-4690-ae1f-548cc2173981/
SH256 hash:
c42aa02384ab1810508982613752fd0c426da637d517f47fc346b2b2a71da727
MD5 hash:
82fbcf72c6c7370c416557f9d9e045a8
SHA1 hash:
9793466da1327e71f02ec2929aaf1267a2f981bc
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f08b7fc-4165-4690-ae1f-548cc2173981/
SH256 hash:
41132014d130630d54d6ae18e65a5cbedba89a7dc2a043148f3a640cd7421903
MD5 hash:
ca6c7750e8691832673750e5aa3ac013
SHA1 hash:
86ae269cf466261aa641b3bff73b86132892020e
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/0f08b7fc-4165-4690-ae1f-548cc2173981/
Parent samples :
94ecf3c688e8af8cff3f606185c0f01c964909c0c4155be28b8b103ec4f82ab7
b2d0c51f26369c14cff28785ed70f13c29f99460202affa48cf89133c9f10ef7
a0a7abef73d7229bf5eef516bbc24586e61eed7bfa3aaf81cde807e5e0637dd7
51abbe06ac531f2abe91d1228f1812d95a8050798dec46d966527c252f5a3a65
efe83af8f6c4be824f69b3e9b77e42e974ea1abc1e311e428f7d9a5e34e4f220
fec56cc0f628816a64bd668d011bbe1524fe4c266080b5ae93eae16daeeda153
7c7b30b574c1a70e9133af294797f85c0b2697eef625410021b15d49c5d2cb97
f106429110d7d86cdd391ff4996a39dc961867dc0b83b3961b481de4e9e21912
a577845703554f73f9810c0347e168d89f842918b387333f5b76b45f06ed1796
17d850a7c156f7913f6d3d8b304de60864882dca5b2c8d29a7a7c51a518afb95
c8e00727c4936f82a42a5d3908e9e2e3f4b0fc997a678b917b2aeaf82c88881f
dfc6dfc52704246597fe43525a276964439da4c93675c10e08ba79a453ff23f0
eda71aa32d9f424c4f2a3a34901e718022bc81aacb0445fd03f72d87b6ba0ad3
b6452ecece1b26801d2fe53e1c90cb78f5f386eb1ff49ec4f0f283648b2cca9d
a1d4e604fc4b08540cbf009e443bc58b561622bf8cb01385e9d4b408a6c3ede7
0a96a02b8a433bf8ed581d80dcb01829fe82ce1689d5ff1daeff1c475bd691bc
39f723dc9ee8a4cc2380dec93a8707b7671b146b5c2f3aa9abf52f6b72e89dff
5b7295dd730079596569be66a26d3ec9632ef67d06b11366b68c8d8081d6eab6
e653ef1bb3fd5f3fc15e575be538ead9813b63dfb2dac9643397c0b4ac9caa3a
cdbca886e920a020ece308c39374b3ff0afb91ed1e76441a2ed4ebf7185cd0c4
3ae73ef113e6e500f693fbf73643f6e4527c4c1e23fbf94237ad496d8129220d
b8d4ff7324bc40abb6ff8df5127111a3b7a214b937f787cdf0c8c14ff6b9a8d8
13e7d9f90c29149575cbcbd95e3500f6405e5a0e4fc55b12e3527a1e773bc4ee
35dde084e4f1debdde671df2162ea65d5b73b1d7a5ae9d0c1b458c13c79066af
1aa11fdc85a0232a37a5c7535ab09f45efe7aaa0ef7443837b947e0b1066ed35
d7e02b5a094e6391b2fa818044f9f44f8af223ddcdb43951d57207ac1b4da986
526f6ce8820a56e2ef71480d7adc6d6501dc3288f3bdb9c0254cf28ca28a3848
cd49ec07f3bfb622b3406f2490b87fa0dc8f17770566247c410e0474c4635caf
da9d8d1397f1319ff5b486b2b6b3b477cec9103fa261d721c0e98774aa7181ee
539e372c95fc13ce1a4b1fd1a4e85360ce1e87e33c949e71aa83ea711540a060
22d99a007efbde459002db578301425050191b98f396a8c7f7c3033b98faa875
c2b18f872544ac30b6f1168bf8fe7d226544266ae37bcb55f65be9022bb43673
c5b892af260a8940a9a0edca6d5b0c8876d77024f7e379225071cf574925fcb1
fac2ea6237c39eb07b72329fe22ac150842d1f112a56369d35ce58e00533bf43
7e2306d6abcbebfc5520d6e7e7f5781d5c7260b84b89903921597ecc37f84104
116e841a156bafc3624161b83870f4330088e899a765ff1c3800f063bb14971d
73c42edd55d0bda00438405a2d69b574624e045d9acc74b85cab289b0098815c
c0f9bcfd8691e49456b0b13783167142965ce41f62472691a0ccde36ef522c3f
bc1b442b71392fcf3233ba14f2c8a3c1feae5f69c2246d7505daf1dab2bc85c7
aa0a19150fde53d3cc4e5b557f70146c9d2b85c7ccf502d783623c60144ef001
58d861d37eed96eb1884005374d26119690f205c00aad0cbcd39042169c44856
257291a8b0bec85253f49cfd5ff8d0c6fa6e85d326350358afd8c36c51654a48
0b8b45d5ce44f29662be3a9e42319df193e72f5f0d90dc07c0e3bba44e008a8a
f04fe7a54346132d9cb140451f3b8252eed6e18ebde9f5d7cc35e1fbffd0fe8c
2bea3e4f5d2d6a6a087bd945d53e4ed03c22a3fe02b2c2a45889f7478805b9d3
b53e3ac24120c826b2da6db812c0be0f25387fecbb7741d07bd2d6460709ca2c
ea4121445edd8275763e783de369c64d1b5e37c9dfa767462889a2c42f133e92
2b585610591c4d819e8dceb2e8bb4d2914838648e362b3a54410302c24354562
e4e5ae6ba069f2b8aae6297f0e733c880161038d230da3981821d1817c0ae174
7d508c8c58cc60f2ccbe4c56fe7b7d768de0056d5da6eee1a624dab9b5d251e4
54b2b42cfab413b5c0179cd0462ff75cb945805aa2044a36f63752798c1d71f7
4ec9fdbf4910bb043eb75d858a4e2b857e71186f2d0a796e95f4b9f41646f8a4
0f15cb761912f22c805f287a9d00ea69c997d85a3669bd31f21808e4ac3f166c
117575378cdb8417249631f97692b696143e893ba230b972e742f8f3a4f9efaa
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments