MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657
SHA3-384 hash: 1f7bbfc5717dfa931c9eb0866d796cea7066b4973f86866d08e2fbc0678d9bdfccc039b643e964fb650c452f2164b2bc
SHA1 hash: fcf0808fbdec28dbcce67a5e7a205980d7f7bc9a
MD5 hash: 77cf44a3d9efbf1d4b3a92c44d990efb
humanhash: snake-golf-maine-cola
File name:77cf44a3d9efbf1d4b3a92c44d990efb
Download: download sample
Signature Dridex
Create hunting rule
File size:577'536 bytes
First seen:2021-12-20 16:15:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c9628a85525bfe945f5e36dd40536a54 (7 x Dridex)
ssdeep 6144:JDwhfXAyRXuYDXCmFXayrX4S7XKyfXEyRtUWxXwEhXE65XcyjXuq5XqyHXoQ5XmO:uF8uFvRiXc
Threatray 5'642 similar samples on MalwareBazaar
TLSH T13DC49E8273634102EE82FDBF1D13746F4399369DF950F8A2F58E6A6A303E2B53165643
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61c0ac46ec6c6c14a9e561be/reports/3eaec9c9-2903-41ab-a3e2-76220b081c3f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f34eab13-b1b9-4e9b-8625-4097fa44307a
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/910412
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 542889 Sample: UzgDinGRAz Startdate: 20/12/2021 Architecture: WINDOWS Score: 80 23 162.241.33.132 UNIFIEDLAYER-AS-1US United States 2->23 25 217.160.5.104 ONEANDONE-ASBrauerstrasse48DE Germany 2->25 27 2 other IPs or domains 2->27 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Dridex unpacked file 2->35 37 3 other signatures 2->37 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 39 Tries to delay execution (extensive OutputDebugStringW loop) 9->39 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        process6 process7 16 rundll32.exe 12->16         started        18 WerFault.exe 9 14->18         started        process8 20 WerFault.exe 23 9 16->20         started        dnsIp9 29 192.168.2.1 unknown unknown 20->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 08:53:36 UTC
File Type:
PE (Dll)
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oahwjvwgwtjkmdfkx3hdmzxjhj2kfnd23hpg54hecq2zul4jqzlq._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
01c3b24353de26b5638d7d9462b83d1b68448c4a0019be14aaa1dc60a09cd491
Dridex
1857f37001c2c96b7cfb6850dace37d19f9b5bedf49038ca93d2f421444b1816
Dridex
82401c527367babbab2dd52ae4e93b3d3085264a20c58a40c6d5ebfae4ff7a12
Dridex
98058909fe77d37d42c642f2dc103f417cff699c75b96aa829058cd286edcdef
Dridex
a5237c075063efcd0257ecfa5b2c88217668a0495bb5d857649c25679ee5972f
Dridex
+ 5'632 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22201 botnet loader
Link:
https://tria.ge/reports/211220-tqslcabbe8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Malware Config
C2 Extraction:
104.36.167.47:443
188.40.48.93:4664
162.241.33.132:9217
217.160.5.104:593
Unpacked files
SH256 hash:
5b5d1abb0d907a2fd899a5fa32ebcbdc9fc65708196d4a880d752377a280aec8
MD5 hash:
d2c7ff6605609309aff3a1d540b1eb95
SHA1 hash:
fdccb7305f1b6a70520bda77038e2400893fe776
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/84d92c48-f068-4c88-a7da-8ab5c01004a4/
SH256 hash:
d1d7e6ebe938c208ceb900621c55ec1dd93ad0ae17b074325b8b6eb072dc9e19
MD5 hash:
3f33b1edd5865cf95e40249e9a419cc0
SHA1 hash:
02a8c0ce379a6aa31bb247ae1ab738c1789266c2
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/84d92c48-f068-4c88-a7da-8ab5c01004a4/
Parent samples :
01c3b24353de26b5638d7d9462b83d1b68448c4a0019be14aaa1dc60a09cd491
98058909fe77d37d42c642f2dc103f417cff699c75b96aa829058cd286edcdef
82401c527367babbab2dd52ae4e93b3d3085264a20c58a40c6d5ebfae4ff7a12
1857f37001c2c96b7cfb6850dace37d19f9b5bedf49038ca93d2f421444b1816
a5237c075063efcd0257ecfa5b2c88217668a0495bb5d857649c25679ee5972f
6d7edfb3152bfcb50f74e698b22af80b169be133a6af174892cf9bf55544c602
700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657
SH256 hash:
700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657
MD5 hash:
77cf44a3d9efbf1d4b3a92c44d990efb
SHA1 hash:
fcf0808fbdec28dbcce67a5e7a205980d7f7bc9a
Link:
https://www.unpac.me/results/84d92c48-f068-4c88-a7da-8ab5c01004a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:dridex_loader
Create hunting rule
Author:kevoreilly
Description:Dridex Loader
Rule name:MALWARE_Win_DLLLoader
Create hunting rule
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.dridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 700f64d6c6b4d2a60caabece3666e93a74a2b47ad9de6ef0e414359a2f898657

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1902537/

Comments


Avatar
zbet commented on 2021-12-20 16:15:14 UTC

url : hxxps://preusz.com/1U9/HaDQhqsyljvaginapussy.bin