MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe
SHA3-384 hash:	ca001a2e2265116534581e03b979ae3117e664bf11f5030ab242d1cfaf3a0354cba213a042c7ecdee9432f34963e8f46
SHA1 hash:	a9a7e1372e896842cdce281f35608cd0019dd966
MD5 hash:	4edcdb358f196720b42de2e604053b4d
humanhash:	stairway-jersey-fifteen-stream
File name:	updkas.exe
Download:	download sample
Signature	Dridex Create hunting rule
File size:	212'992 bytes
First seen:	2021-07-07 16:02:09 UTC
Last seen:	2021-07-07 16:52:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5ed8255955121801372e7c6b712481f8 (1 x Dridex)
ssdeep	3072:+SI+WoG9xtWHr+5me2pjf7rmWVOX4ntUke2hwQKwuIvh0Pe:ZItF9xQ+5d8jf7ynX4WcKw/h
Threatray	4'550 similar samples on MalwareBazaar
TLSH	T187241280D96ECD22E8531AB0B0A53635F697B412E73C88FAD5510E52D4E60BBAEF4394
Reporter	malwarelabnet
Tags:	Dridex exe

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

updkas.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-07 16:13:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d23a7fd-3a4b-478f-8e39-21f53f7a151c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DridexLoader

Link:

https://www.capesandbox.com/analysis/170237/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.25381.19627.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dridex

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3194c737-769c-416c-bf15-b6da1e3693aa

Result

Threat name:

Dridex

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/812996

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect virtualization through RDTSC time measurements

Yara detected Dridex unpacked file

Behaviour

Behavior Graph:

Download SVG

Detection:

dridex

Link:

https://mwdb.cert.pl/sample/60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-07-07 16:03:04 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=maus2du65fnjiau7za7gzlv5pwf3y2kl55cg3ecrtx3uhs6elt7a._file

Verdict:

malicious

Label(s):

doppeldridex

Result

Malware family:

dridex

Score:

10/10

Tags:

family:dridex botnet:22202 botnet evasion loader trojan

Link:

https://tria.ge/reports/210707-hmd6ycfshn/

Behaviour

Checks whether UAC is enabled

Dridex Loader

Dridex

Malware Config

C2 Extraction:

209.44.106.71:443
54.37.106.167:13786
207.58.132.19:9443

Unpacked files

SH256 hash:

e6b9a9c1af6611494adfa9e9cc24a89c98063ededf94f142c0f1edfdee191586

MD5 hash:

a3721dbea81f5ad7984396a38eeb44ea

SHA1 hash:

3100f2f3da41ccb7cc982aa0baec85fb2b8f9b7e

Detections:

win_doppeldridex_auto

Link:

https://www.unpac.me/results/6fbdfe73-d444-4b05-aa50-eafbd66cf76d/

SH256 hash:

60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe

MD5 hash:

4edcdb358f196720b42de2e604053b4d

SHA1 hash:

a9a7e1372e896842cdce281f35608cd0019dd966

Link:

https://www.unpac.me/results/6fbdfe73-d444-4b05-aa50-eafbd66cf76d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DridexLoader Create hunting rule
Author:	kevoreilly
Description:	Dridex v4 dropper C2 parsing function

Rule name:	win_doppeldridex_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.doppeldridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/170237/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample