MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614
SHA3-384 hash: afee8a4facc39a87133f7503c7363252d2e454bdc958e2e4515e6a051f1f0fed94725958ef234f385a8760f6a77f2ce3
SHA1 hash: 4d5b967b9e11003f922eeeee8e3af4ec362f395c
MD5 hash: b27c5ea73724943b7b14ba9704c88991
humanhash: diet-lactose-east-dakota
File name:INV.-2584745_20210920.xlsb
Download: download sample
Signature Dridex
Create hunting rule
File size:202'618 bytes
First seen:2021-09-20 18:01:56 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 6144:oxwsvK0keUaAqWkBYV0R6zwSRUC8V/hwZ5K:8wsDr1WOYVYYsCK/hw7K
TLSH T12814F205227518ADE27D067A4CD35EBB93214A112800FF1F63F2EA1D5D7F2BB7686C86
Reporter abuse_ch
Tags:22201 Dridex xlsb xlsx


Avatar
abuse_ch
Dridex payload URL:
https://cdn.discordapp.com/attachments/889484773976862803/889484964440199218/3_System.Diagnostics.Contracts.dll.dll

Dridex C2s:
103.42.56.15:443
169.255.57.61:8116
128.199.192.135:6602

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV.-2584745_20210920.xlsb
Verdict:
Malicious activity
Analysis date:
2021-09-20 17:08:07 UTC
Tags:
macros40
Link:
https://app.any.run/tasks/9244ae26-12c1-416d-8336-b8b7d006f1c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189572/
Detection(s):
TwinWave.EvilDoc.XL4DridexCarryOn.20210823.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XLSBLOLBINHammerToFall.20210414.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PDATARootDown.20210908.UNOFFICIAL
Create hunting rule

securiteinfo.com.xls4.icedid.42146.18521.21104.UNOFFICIAL
Create hunting rule

securiteinfo.com.xls4.icedid.42146.5997.6818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Link:
https://app.docguard.net/63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854337
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to create processes via WMI
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious WMI Execution Using Rundll32
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486765 Sample: INV.-2584745_20210920.xlsb Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 38 169.255.57.61 Web4AfricaZA South Africa 2->38 40 103.42.56.15 VNPT-AS-VNVNPTCorpVN Viet Nam 2->40 42 128.199.192.135 DIGITALOCEAN-ASNUS United Kingdom 2->42 50 Found malware configuration 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 9 other signatures 2->56 8 EXCEL.EXE 31 25 2->8         started        12 mshta.exe 4 12 2->12         started        15 rundll32.exe 2->15         started        signatures3 process4 dnsIp5 26 C:\Users\...\~$INV.-2584745_20210920.xlsb, data 8->26 dropped 28 C:\...\INV.-2584745_20210920.xlsb (copy), data 8->28 dropped 30 C:\Users\...\~$INV.-2584745_20210920.xlsb, data 8->30 dropped 32 C:\ProgramData\kXLnUfJrHynTq.rtf, HTML 8->32 dropped 58 Creates and opens a fake document (probably a fake document to hide exploiting) 8->58 17 WMIC.exe 8->17         started        44 cdn.discordapp.com 162.159.135.233, 443, 49167 CLOUDFLARENETUS United States 12->44 34 3_System.Diagnosti...ontracts.dll[1].dll, PE32 12->34 dropped 36 C:\ProgramData\itircl.png, PE32 12->36 dropped 20 mshta.exe 9 12->20         started        22 rundll32.exe 15->22         started        file6 signatures7 process8 signatures9 46 Creates processes via WMI 17->46 24 WMIC.exe 20->24         started        48 Tries to delay execution (extensive OutputDebugStringW loop) 22->48 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614/
Threat name:
Document-Excel.Downloader.EncDoc
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 18:02:12 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mphxuk77eqhrvuxkbyox75eiltaxju2g6bgefzxi6yqj34vmyyka._file
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22201 botnet evasion loader macro trojan xlm
Link:
https://tria.ge/reports/210920-wmftgshden/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Dridex Loader
Dridex
Process spawned unexpected child process
Malware Config
C2 Extraction:
103.42.56.15:443
169.255.57.61:8116
128.199.192.135:6602
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xlsx 63cf7a2bff240f1ad2ea0e1d7ff4885cc174d346f04c42e6e8f6209df2acc614

(this sample)

Dridex

DLL dll 261887acf9e4803b4eb8bf23c0d70a2f3c7ec9cdf0696a1eb64a34bdff646ea9

  
URLhaus
https://urlhaus.abuse.ch/url/1636325/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189572/
  
Dropping
SHA256 261887acf9e4803b4eb8bf23c0d70a2f3c7ec9cdf0696a1eb64a34bdff646ea9
  
Dropping
MD5 8b22df205e4c8fa137cf4535c17f9615

Comments