MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb
SHA3-384 hash: bf130f14b7f1657e145ac6740383c3fb5f66b13ea7e20309ab3ddcfba50f05612689ef74dc5742a5739fa3bd62d6cc1c
SHA1 hash: 599267f47c25f6eafa52ace80dfd9fad2aa798d8
MD5 hash: 11d52c5c4588cc43842dca09a21f1eb6
humanhash: three-oregon-sink-berlin
File name:11d52c5c4588cc43842dca09a21f1eb6
Download: download sample
Signature Dridex
Create hunting rule
File size:524'288 bytes
First seen:2021-12-20 17:27:50 UTC
Last seen:2021-12-21 13:59:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5ad3b93adc2f9b7a31e634988c069f77 (85 x Dridex)
ssdeep 12288:92cK4kV9W/k7MNKABzMyLi8E6+DnOM2Swyuwn:MkMs9
Threatray 5'710 similar samples on MalwareBazaar
TLSH T114B4AF92D60F6757E43C32B3E8E36436AB434F280DD4BDE5BA00764B733D498A49D686
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Lazy.88453.28682.10714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61c0bd2dec6c6c14a9e57ffc/reports/d09329e9-9e1e-4503-b607-f13459d8ed19/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdca9d27-4880-41b8-be90-265259cf6bf8
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/910526
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543004 Sample: SvKICNsMOT Startdate: 20/12/2021 Architecture: WINDOWS Score: 80 22 89.31.56.58 UNITHOST-ASNL Netherlands 2->22 24 51.159.52.196 OnlineSASFR France 2->24 26 2 other IPs or domains 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Dridex unpacked file 2->32 34 3 other signatures 2->34 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 36 Tries to delay execution (extensive OutputDebugStringW loop) 9->36 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        process6 process7 16 rundll32.exe 12->16         started        18 WerFault.exe 9 14->18         started        process8 20 WerFault.exe 23 9 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb/
Threat name:
Win32.Trojan.KryptikAGen
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 17:28:13 UTC
File Type:
PE (Dll)
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sr6pw3mut6ndb4ggnuvkvoymzpsm2cwponnl5paoskpetsp6qpvq._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
2ed4c30203ad5091fac0cb694f5dca3af5a591e0de6a56a0dfb51f20ba82fbc9
Dridex
4e41e0a0750125693aeadde94e11f23f9b29a81b26b41463117bd39d19374f84
Dridex
69c083542e53579cfd344f93d7109f13a676adf4d73fa41425b3b0fa1dc702e4
Dridex
752cc527d4c57db8e25158c476c2cc059c688d68b869428f1c5fce651e47a4b2
Dridex
b3f2455dbdfadfdb76026bff37d4180f90b8dcfed7ce84043e2fcef4ae33b5e1
Dridex
e5607a5a103d6bc04f97ffdeea63ba4629a6f99d55d89d2b2047e6d61c539357
Dridex
ee14add8eb5342d6c672dbff573b0737ac4f718f06d2881f9d319e6c806db770
Dridex
+ 5'700 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22203 botnet loader
Link:
https://tria.ge/reports/211220-v1z9lscbfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Malware Config
C2 Extraction:
51.159.52.196:443
134.209.247.135:6602
194.233.68.48:5228
89.31.56.58:593
Unpacked files
SH256 hash:
25f5d94b0615fc3bf2541f825ca73d80eb5278d896505b5f4bfd88225be3e63e
MD5 hash:
fb745a97781ec22445eb1aee4f598234
SHA1 hash:
1bc2d0f95c35799b1e0f971a33363668d0ba9728
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c37aa7f-3926-4458-b29b-5b074421b120/
Parent samples :
59b90c2d9f7732201c2f5498de46accdc545fe34a165bcbba4bd1fb304e3033e
ff78059edf414a40fbc264f86c9bcf0f4fc2ae9c7291fb0cb13b250223d9a497
f8dfd17a7ffb6fba87152b11f34ff39cbc29b8661316b9a2f95b9a28af2af9d4
38796a89ff94fbae83d2be42eac45f980c3f0c5e1aeb11079c027827f617c04c
947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb
3bb445d4ffac94906e3a834b659d7adc1f18dc7b9c9196c38b353937f1381278
SH256 hash:
d498467052b610da6fc8d59e245a1b29306dd79cb47b52991082755dfec5bf15
MD5 hash:
ffeed13e5516f419ee3985a35b282462
SHA1 hash:
fc85566576f4edac7b42e6da5eb7fb11a4bca09a
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c37aa7f-3926-4458-b29b-5b074421b120/
Parent samples :
ee14add8eb5342d6c672dbff573b0737ac4f718f06d2881f9d319e6c806db770
b3f2455dbdfadfdb76026bff37d4180f90b8dcfed7ce84043e2fcef4ae33b5e1
4e41e0a0750125693aeadde94e11f23f9b29a81b26b41463117bd39d19374f84
e5607a5a103d6bc04f97ffdeea63ba4629a6f99d55d89d2b2047e6d61c539357
c4ac66cd26e9c6880438022aba95a5cfe87fe47ecc326c2f1d508a036476ad60
59b90c2d9f7732201c2f5498de46accdc545fe34a165bcbba4bd1fb304e3033e
8061601b31fb8b82c7f0dcf77ffbcb74a093d8e64a951cfb9d38992a4cc41913
e1dbc17cfcab4b6b14a07dde15327991d38a314c26a8464bebefb1118f16511a
d42a9de7251a976e19b8a789154d56ab4d36fa0a5dfc5af83f31847111587453
0e5c5fd9dbd9877538234f46af9f9ad2bed5561f5fda9c2de019272741d4c208
ff78059edf414a40fbc264f86c9bcf0f4fc2ae9c7291fb0cb13b250223d9a497
1aa52252a9ae1c24c9a587d84bbe8ad42ea834ecb2f5e363660d0180a0fd358b
c13443798f618fba8cbfe70c4b39e165e0d88dbcb9eaadcb8329536c13ce5e0b
c60194aa02c0f072e83d65fbbdf6cab49ba8e528443146a83685ca39739ff715
3739d6dfdd6a52951b2a44b2b1c5d0f9486c2df83b789d7e7ab76264d2d5dcde
4cfe3f30d028e7cb1eea0ee761b75ed998cd0c6d6ff4f9a802db428d0b9dda39
8187ea4c01f4820600fbfeb8c73d01550c8d87b9203ba76825911851ab68259a
27b24d442413bdb408f7d2e09f440a5fba2d5b2bf22ed2a99562c09dc3234fb3
e94952392e6d98a4263907ae825372ebda1f9208e2478efcfbdb7ae8e90c5582
e73af48a49c537f019c474c3a5f3fc8f4ae434caa9dd4126daeb476add244062
03031415064b651e65b8a83d06eca4e6a83a23854b9b504c011a02feac993dd0
493cac69ba43c4b18827da0beed872830abcffe071ce7f2c90378802196d3c45
85890ee7659c717dfbddc97ffbcd01b495d3a28c728b35cf1cd6ac1ebd306c92
f8dfd17a7ffb6fba87152b11f34ff39cbc29b8661316b9a2f95b9a28af2af9d4
4a04f52da6831a961fc09ff38561ecabdc50fb426aeb343f89454715d6b440ab
f0f8c65ff33028fffaa1b7e9e18dacd896e0b0e8a9fa6e234c719b030b9741ac
999285b1dae2c26e61557b12e3f60dc6135dfb185c0136cb1e2f441149bfea40
201a9f314f99986e881fd18233bc6c7deee7c8a92df33f27bdc8aab461934d1b
38796a89ff94fbae83d2be42eac45f980c3f0c5e1aeb11079c027827f617c04c
93efd751aa87f9bb2dc22adcf47a72f6893a27c49fe074750454d4aacd13b94c
947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb
7d27378b178f3ed92b2f7d4bf9c49e424f875a220fe762d25efb3c4d3879101f
058f651f84f6c0de11e988aeab5179d426d79c345e5fb972c752d70bccddee5c
96122fb865d9d5e150fdbd1c04240e786a3c16528cd33748464eade4ea6d9986
62a4e3d63b7df158f649060adc4a96145f4235b8258d72bb4f39241fd089e772
3bb445d4ffac94906e3a834b659d7adc1f18dc7b9c9196c38b353937f1381278
ec06ef0c5901082335a299b321f16582e6f6639c2299beefa1981eb777b34896
ae2669203764ff3bf46e5b3bd9b5582af63b9544f80114624331e07a3b03b80a
5dc64df3cca54165dc493a27a09243962a8c52c3f2a4118b24f620914f2a9f38
e308e2a2e14fda8199468628a3b5ba983f4703edfaf060eab6ceb88564acfe9b
8cd9c1725c59139cafb22e210d4cbd0e6d78c2d5ed5cddda30b173dc85950d9e
bd66f82a1667ce3dc6250690658f081f262329039c1d5e446bf8026077f07748
4230b78bf642482038b6fe2355c951c13fe8b9c97068273a5aab06356865c8e1
929ca7f836a683e65c010e190a068e6785e8dd2dade630b6006f915d3d5e9007
99b02ee3c8256eb95c745119609a976ced1d887e6475f6bd3768fb9711e75554
2cf9c537591df06f023bbf8cbb88a030d8ab85fd995c302867d0514e5606b234
5b17007c41438abd1b60bc84b2f3fdacd6ce2f42c54e14f8ca97466650c1a2a3
6805b96efa556df82f22e5c3a426f9d6040949dbf0c3c6fb489c2812464aa6b6
7249ce3d04df4431c89afca3e3ffbc8e54f0cb820b6d04f602e346eb2b97210c
634e08b7594849fcd37698e668e7c3bcc8aa5af3cc1dac488bdb19c722a6bce0
f9c89d9fedc27f2af79185065a7b2b98512ed8763b50f0fbd4af59ee36ab611e
SH256 hash:
947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb
MD5 hash:
11d52c5c4588cc43842dca09a21f1eb6
SHA1 hash:
599267f47c25f6eafa52ace80dfd9fad2aa798d8
Link:
https://www.unpac.me/results/8c37aa7f-3926-4458-b29b-5b074421b120/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:dridex_loader
Create hunting rule
Author:kevoreilly
Description:Dridex Loader
Rule name:MALWARE_Win_DLLLoader
Create hunting rule
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.dridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll 947cfb6d949f9a30f0c66d2aaabb0ccbe4cd0acf735abebc0e929e49c9fe83eb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1902406/
  
URLhaus
https://urlhaus.abuse.ch/url/1902454/

Comments


Avatar
zbet commented on 2021-12-20 17:27:52 UTC

url : hxxp://skyviewonlineltd.com/QXCFV/iMzLYIacjTSkkklgbtq.bin