MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7103c9d1c2a64b80a4b69e3d91487b602fd4ede836722fa9c0daf4fe09a2b7cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7103c9d1c2a64b80a4b69e3d91487b602fd4ede836722fa9c0daf4fe09a2b7cd
SHA3-384 hash: df502cf6d74411459c6c67a51826ebce117b4e1fa7bbe8da0bfe1c9c4a017d95fca75838f57a3b9be7f7eba8b54090f6
SHA1 hash: 3d6253901688db87fe9e3299cb61c9118b16ba0b
MD5 hash: f66682f19ae1531d64fc9cf409202e42
humanhash: sierra-kitten-eighteen-september
File name:ejrwqokckt.exe
Download: download sample
Signature Dridex
Create hunting rule
File size:253'952 bytes
First seen:2020-04-02 15:52:06 UTC
Last seen:2020-04-02 16:50:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1cd3f58a9d87c90332721b368bf38688 (1 x Dridex)
ssdeep 3072:9DTrfyYfMmr9gRfMMh2OrepJIFpx7BJKSugZGIpqsdvJXk:hX392MuX40ALgZ/pqs
Threatray 292 similar samples on MalwareBazaar
TLSH 9444D056B3FE5568F5F7BF30A83952620F1B3DD6A839D10D8300C58E9A35A24CDA4B32
Reporter abuse_ch
Tags:Dridex exe


Avatar
abuse_ch
Dridex malspam campaign sent from GMX mailservers (compromised email accounts?), example:

HELO: mout.gmx.net
Sending IP: 212.227.15.15
From: Daphna Carri <January.Fejes86848@gmx.com>
Subject: Invoice Due #854962
Attachment: 854962.xls

Dridex payload URLs:
http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trojan.dh.16838.UNOFFICIAL
Create hunting rule

Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f23aae7-1676-4509-9f6d-9952d5b1e857
Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 16:35:28 UTC
File Type:
PE (Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oeb4tuocuzfybjfwty6zcsd3max5j3pigzzc7koa3l2p4cncw7gq._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
0b02474d4fc4a2d7d4b43562c4b8532e9880941610be7a955ce740fd6f959ac9
Dridex
3d0f043627dea5de72eae3fd54dd228dcc4320e8802200dbf21bcbe1cce0bf4a
Dridex
41a3586da1ade6096a5d254c93d071ed5bdd702ddbff61b5db3473495de412e6
Dridex
6067b4d4febf1c025385eab5f40934d1ffe00e3ce2d6f5bb8f6481689d48ae72
Dridex
809dd9df68daf8e93c2b15309aad4401aa1c7a30f727caa5cc7b2cc46aca8664
Dridex
962f378f2e541433349acb928affd380f6d4960443ab39588115f920f43c71c6
Dridex
aa4d510f35a686b54ce2a26ae399ef7e9dccc1846b561fd741cf2469b6a77fb4
Dridex
ce90df48bfadeec34a0e41e19bb140fda94c59fe3d27095b517da6bba4f9eeb3
Dridex
d3d026f833f38db4e9c43dd3b7371c3826e39d16ed6c0dfd69301584c6ac4783
Dridex
ec9f6a70899278d8eecd7c501971b8381b9ef9affae659521f1e5009be15abc7
Dridex
+ 282 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dridex_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe 7103c9d1c2a64b80a4b69e3d91487b602fd4ede836722fa9c0daf4fe09a2b7cd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/334046/
  
URLhaus
https://urlhaus.abuse.ch/url/334047/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments