MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82902f13b895c92b0995e65d4de03ff0cd50d89bbc027dc5e7ec338d9bede821. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82902f13b895c92b0995e65d4de03ff0cd50d89bbc027dc5e7ec338d9bede821
SHA3-384 hash: 73ae4369da9dff6f949716bf30810819c1c388f955780bab2d77465c2c047ca08e1566a9a0279e3890582d9ce8744275
SHA1 hash: 3a36e1aa2fa0fb92ef55f6b9a1a3f39a95e19147
MD5 hash: 3971aedd89deabb34399a7eb32e6bd96
humanhash: triple-finch-table-artist
File name:Gift_Card-.scr
Download: download sample
Signature Dridex
Create hunting rule
File size:964'387 bytes
First seen:2020-11-26 04:32:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:YY20AljdZgBPfKfxVST7whturB+1LtIcXFJ2VRQV5YoUNmOJYWjD2IZPMagGL:920gPgFKbE7ag+LlcnQjYoomwYWjfJ
Threatray 213 similar samples on MalwareBazaar
TLSH B1259C637A0A8C56C03353FD4050E3B997271F98E66692475AF0ED37FAD1A835E2E2C1
Reporter JAMESWT_WT
Tags:Dridex scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/547655
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82902f13b895c92b0995e65d4de03ff0cd50d89bbc027dc5e7ec338d9bede821/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 02:27:53 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkic6e5ysxeswcmv4zou3yb76dgvbwe3xqbh3rph5qzy3g7n5aqq._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
24e9d45999add1dac491b4c3cfb55b77b95a46bc693eec9df56d6194b7fbe25e
Dridex
560478c5532f341407bed4a90de3f7a53bb36d500691f1f41e7d18a44f354f8a
Dridex
79a3a7441a371606291f8bd47216a503b27a38ec61ba7604c9ba2597a54cc3d8
Dridex
83c390d82e19beec14d007b7350f4296c23ce9b3d131a3670ebb7424ad917410
Dridex
9f38af84820dc29e805029409bbb2a5765036775973e3898b6db1f66c1b47270
Dridex
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
Dridex
d554bef77e35bbaa325fc61e5bca1ae419f9b2222110c913eb09b9369563c061
Dridex
df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0
Dridex
fa4745a9f86a7516cc6fdf77834b1b9ab83ba3a29743461eabe2bec180c9de86
Dridex
fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc
Dridex
+ 203 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet loader
Link:
https://tria.ge/reports/201126-yybw6m5djj/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Loads dropped DLL
Dridex Loader
Dridex
Malware Config
C2 Extraction:
194.225.58.216:443
178.254.40.132:691
216.172.165.70:3889
198.57.200.100:3786
Unpacked files
SH256 hash:
82902f13b895c92b0995e65d4de03ff0cd50d89bbc027dc5e7ec338d9bede821
MD5 hash:
3971aedd89deabb34399a7eb32e6bd96
SHA1 hash:
3a36e1aa2fa0fb92ef55f6b9a1a3f39a95e19147
Link:
https://www.unpac.me/results/e1111195-8bfc-4319-bc02-9fbe6c40b322/
SH256 hash:
6070c9ba26cde8093d2db335335b8542f41040a64ba715334a6a5a903e731808
MD5 hash:
c2ddc6490c4c00eb138a0259bdc0a15d
SHA1 hash:
9f297ba09c9e8ca275a385280edaf31b5bb89bc4
Link:
https://www.unpac.me/results/e1111195-8bfc-4319-bc02-9fbe6c40b322/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105580/

Comments