MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95d74bd7b19308c35a9439ba6a4b494b9a633ac9c5026e9b6127a2def24ffa3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95d74bd7b19308c35a9439ba6a4b494b9a633ac9c5026e9b6127a2def24ffa3f
SHA3-384 hash: 34f95d9890ba111a097ad561dc644399a7d7b66a332864ea260086b32c20ba42cdcb06d9fd5233f90d128829a9f8ed33
SHA1 hash: d71bc5a4d7e6d43d408760f8718b75136a208ecc
MD5 hash: ca4d8376794830f2c46e5b32ce24b51e
humanhash: earth-jupiter-east-fanta
File name:qmzo.exe
Download: download sample
Signature Dridex
Create hunting rule
File size:282'624 bytes
First seen:2020-04-22 17:35:31 UTC
Last seen:2020-04-22 19:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 643cdcf7c42fa56b19080e372ca127c0 (1 x Dridex)
ssdeep 3072:gQDRfsRZYCdnOBOKN2KYe6i53ZMAJ2unU6uPIKPTNjDK7EinItZGx0LWJAYlAYoe:5TGnOQW1Ye6i5ounGPFIEWAM6L
Threatray 75 similar samples on MalwareBazaar
TLSH 36540242E741B88DE817823164C39D6A6031ED37BD5ADD6376983E1B3E7ED22D902363
Reporter abuse_ch
Tags:COVID-19 Dridex exe GMX


Avatar
abuse_ch
COVID-19 themed malspam sent from GMX mailserver, distributing Dridex:

HELO: mout.gmx.net
Sending IP: 212.227.17.20
From: Sephira Bobinette <Silvia.Gronewald3533840@gmx.com>
Subject: RE: Review COVID-10 Policy
Attachment: covid19_753651.xls

Dridex payload URL:
http://toliku.com/qmzo.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.24610.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-04-22 17:47:19 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
26 of 28 (92.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxluxv5rsmemgwuuhg5gus2jjonggowjyubg5g3be6rn54sp7i7q._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
24d6774c1e91ab5d03b2bc857f8f35534acbc8f4ed8aaf802372588638100cb4
Dridex
485868eac79a5a53120af21c63d317cc033ff0855da3684f16c30753a8d961c2
Dridex
4faa4683bd7134b0823bd0f04f894136bab28fb33f6163f803d08b6dd80a36c2
Dridex
69ee26ba2019f4cc30752f00a815a726795c8e898edffe739daa6e84e6c41ac2
Dridex
6a05f362aa3b7f597181f694af55d4bddff4cf3e54798dae7fe884dd1faa0494
Dridex
93c97bf3711640d5bd8ff0c2033492b2cea7b81ef2ea0e6f6b2327913e9be9d7
Dridex
e7662182c984884cdf7c0c436538bc82cb1d8f91c2d6bfe0cec1ba9b3d63c259
Dridex
e7e5f0ac865dd8cec6539a3defbd09f15df7822b647fcd2e2f53555be98ad8e2
Dridex
eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143
Dridex
ee923a4dd9e77a796c589b01ed52bfd3d5b72502e8307c9c362a2d9f6379d197
Dridex
+ 65 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xls f89efdd0affe7ab73718262c96946f92d8ace1a9799f3f60be42d7005849fbe6

Dridex

Executable exe 95d74bd7b19308c35a9439ba6a4b494b9a633ac9c5026e9b6127a2def24ffa3f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/348362/
  
Dropped by
MD5 db7a6da850de881304c2787235bb5397
  
Dropped by
SHA256 f89efdd0affe7ab73718262c96946f92d8ace1a9799f3f60be42d7005849fbe6
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationUSER32.dll::GetUserObjectSecurity
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::GetConsoleCP

Comments