MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 672ace07423b11c65be0e0cfcdea8e8a17517b033324b418a1b92d6139daa18d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 672ace07423b11c65be0e0cfcdea8e8a17517b033324b418a1b92d6139daa18d
SHA3-384 hash: 792a067ec71bde6ac4b7199898087ffd4ed0c1a2a0db0c7428f6485597cc5e8dc2982a3604e4bf202ffac26b59443734
SHA1 hash: 7e28c856061e2b23f02b74a2dd5edcae762ba04e
MD5 hash: 3a7d9e9c7b17f37cea12b4a9f2c6581b
humanhash: colorado-quiet-maryland-nine
File name:3a7d9e9c7b17f37cea12b4a9f2c6581b
Download: download sample
Signature Dridex
Create hunting rule
File size:167'936 bytes
First seen:2021-07-14 18:58:20 UTC
Last seen:2021-07-14 19:39:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e9cbee8358b331a128409a4d26e3e347 (5 x Dridex)
ssdeep 3072:5WiJzQu5JD9ko9WY1wzxWrPA/Nz7L5cWlvsRwmhnxONgk/:5LquAkPA/lX5WncNgk
Threatray 4'582 similar samples on MalwareBazaar
TLSH T1EAF3023272BB6AFAE276FD72065F9D31273064480318DA6F76019F86D95E0A34C6FB11
Reporter zbetcheckin
Tags:32 Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3a7d9e9c7b17f37cea12b4a9f2c6581b
Verdict:
Suspicious activity
Analysis date:
2021-07-14 18:59:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/07bbded2-6fd0-4dc3-a3ea-d3c6d5f593d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171805/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.14056.15780.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/107b09f3-3ee5-4232-b278-34baab8ba332
Result
Threat name:
Dridex Dropper
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816535
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Dridex dropper found
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/672ace07423b11c65be0e0cfcdea8e8a17517b033324b418a1b92d6139daa18d/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 17:30:38 UTC
File Type:
PE (Exe)
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4vm4b2chmi4mw7a4dh432uorilvc6ydgmsligfbxewwcoo2uggq._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f
Dridex
4c56a5a7e49b23fcfab4b8d469d42e583497178b9b237374db3e14289f2afc64
Dridex
5d9c6e1b85b728aa57e6afaefe26c1bcc5bb687b061ebae53a166d9453f4fd2c
Dridex
60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe
Dridex
6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
Dridex
8e2d3f6bc5f7b639638d2f5ec751bc2985f1636005131623c5d2c448885c5d89
Dridex
9ffe349bfcaac3ceffbbb5accf85814b0e08d204a02b63a9df9681235a464ecc
Dridex
cae068c4c59a4082133d44bdc9db33444b759f8f465a24b37b84670243bd5104
Dridex
f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579
Dridex
+ 4'572 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22202 botnet evasion loader trojan
Link:
https://tria.ge/reports/210714-nkbhjhnran/
Behaviour
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
202.29.60.34:443
66.175.217.172:13786
78.46.78.42:9043
Unpacked files
SH256 hash:
cdf2d38ade76f29ef5070cf81d6c324c6be51269e15007517526baa089c88655
MD5 hash:
b23470f5f701bba0b23a049efcc2203c
SHA1 hash:
674be33e8687fa8171bff1b7894a0fdb18f4080c
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/64766078-d1a4-4fed-90b2-7701b931d629/
SH256 hash:
672ace07423b11c65be0e0cfcdea8e8a17517b033324b418a1b92d6139daa18d
MD5 hash:
3a7d9e9c7b17f37cea12b4a9f2c6581b
SHA1 hash:
7e28c856061e2b23f02b74a2dd5edcae762ba04e
Link:
https://www.unpac.me/results/64766078-d1a4-4fed-90b2-7701b931d629/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/672ace07423b11c65be0e0cfcdea8e8a17517b033324b418a1b92d6139daa18d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.
Rule name:win_nymaim_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.nymaim.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe 672ace07423b11c65be0e0cfcdea8e8a17517b033324b418a1b92d6139daa18d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1454656/
Cape
Cape
https://www.capesandbox.com/analysis/171805/
  
URLhaus
https://urlhaus.abuse.ch/url/1454661/
  
URLhaus
https://urlhaus.abuse.ch/url/1454663/
  
URLhaus
https://urlhaus.abuse.ch/url/1454679/
  
URLhaus
https://urlhaus.abuse.ch/url/1454680/
  
URLhaus
https://urlhaus.abuse.ch/url/1454844/
  
URLhaus
https://urlhaus.abuse.ch/url/1454882/
  
URLhaus
https://urlhaus.abuse.ch/url/1454946/
  
URLhaus
https://urlhaus.abuse.ch/url/1454967/
  
URLhaus
https://urlhaus.abuse.ch/url/1454968/
  
URLhaus
https://urlhaus.abuse.ch/url/1454973/
  
URLhaus
https://urlhaus.abuse.ch/url/1454986/
  
URLhaus
https://urlhaus.abuse.ch/url/1454999/
  
URLhaus
https://urlhaus.abuse.ch/url/1455013/
  
URLhaus
https://urlhaus.abuse.ch/url/1455019/
  
URLhaus
https://urlhaus.abuse.ch/url/1455021/

Comments


Avatar
zbet commented on 2021-07-14 18:58:22 UTC

url : hxxp://buyer-remindment.com:8088/js/file13.bin