MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8edb0f07fd2b11c74e1a910a1170c3c183073d6f28833bc07ffe2af5d89cf05b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1

SHA256 hash: 8edb0f07fd2b11c74e1a910a1170c3c183073d6f28833bc07ffe2af5d89cf05b
SHA3-384 hash: d17ec6256c9189b654e12cf79111f3d12b2fa6692f862e3611ae2abff3920b7b254daf207dd4568e10a3e5b08d2ffe56
SHA1 hash: 0891d5aa650a713914c4c5f2d82f86cd4548b34d
MD5 hash: d2b4e130a8d9b643d24d493bccb5619b
humanhash: high-paris-massachusetts-pluto
File name:d2b4e130_by_Libranalysis
Download: download sample
Signature Dridex
File size:165'888 bytes
First seen:2021-05-25 17:02:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 987b9d7dc84d935c3675da82d40e06f2 (8'604 x Dridex, 2 x Gozi, 1 x Tofsee)
ssdeep 3072:UmNFcsGvTmf9vOmoM0IZ5kPjBxYvdIL2KyOQaOP8+cMTH1PxsMYQnF1b1l:9Lc7UtOpM1Z5k1xYO2LXjTH1pH5nF1p
Threatray 22'402 similar samples on MalwareBazaar
TLSH BCF3D088CBB3E4E6EFB3D37866F85E1B561174551408F4F0C86CA68FA4ABD008AE50F1
Reporter Libranalysis
Tags:Dridex


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence


File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Dridex Dropper
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Dridex dropper found
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Dridex
Status:
Malicious
First seen:
2021-05-25 16:41:49 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:dridex botnet:40112 botnet evasion loader trojan
Behaviour
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
107.172.227.10:443
172.93.133.123:2303
108.168.61.147:8172
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:MALWARE_Win_DLLLoader
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_dridex_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 8edb0f07fd2b11c74e1a910a1170c3c183073d6f28833bc07ffe2af5d89cf05b

(this sample)

  
Delivery method
Distributed via web download

Comments



Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-25 17:58:55 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0026.002] Data Micro-objective::XOR::Encode Data