MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2
SHA3-384 hash: a8317147404441339c0d03ec959bc6d383cc0dbc2d35aabfa9a47cf4b308491e4fc92573bcbcd7cf3f8a4010f62b35f0
SHA1 hash: bb575b5e829581a40cfdab385c52108f08bfd57b
MD5 hash: 925412d32980c6ede6140e576fda5753
humanhash: don-high-missouri-network
File name:Statement_1321.xll
Download: download sample
Signature Dridex
Create hunting rule
File size:572'928 bytes
First seen:2021-12-14 16:43:04 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash de92ddb295132323885964c44ba1a4fc (7 x Dridex)
ssdeep 12288:vHzhL3/Z3+AZXkOCH8bzbBSreg48kvN91KVWf9:vHzhz/ZOABkjcX1Q48kFmg
Threatray 10 similar samples on MalwareBazaar
TLSH T1A1C49E57F6E77A65E6AFC2BAC6B1C92D66B3349202B0C3CE774055892913391483DB0F
Reporter cocaman
Tags:Dridex xll


Avatar
cocaman
Malicious email (T1566.001)
From: ""telegram-mainserv0.live" <info@telegram-mainserv0.live>" (likely spoofed)
Received: "from mail.telegram-mainserv0.live (unknown [192.162.246.99]) "
Date: "Tue, 14 Dec 2021 19:14:43 +0300"
Subject: "Transaction Proceeded"
Attachment: "Statement_1321.xll"

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Statement_1321.xll
Verdict:
No threats detected
Analysis date:
2021-12-14 17:26:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e4c7676-1d4d-45f8-ad0f-cc1794bacff4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Mikey.130661.12160.8996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61b8c9d88a1c0aab6a87eda8/reports/301f3558-d6d5-4627-af20-b16ec01f8e96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2/
Threat name:
ByteCode-MSIL.Trojan.Drixed
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 15:10:52 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgx27opn6cozimgsfhpufdovkmw6o4fnx7nvvj4yk5daps3lcwra._file
Verdict:
unknown
Similar samples:
00f2cb2064af344f06c562bd4f84899ea6db145e45bbf7fdb570749a54fbc084
Dridex
02fb8eb6c513e90738234def1f0ee6869d25af749ba3285b9b979ed33c3ec2e9
Dridex
05dd0699fa283253f95d1c7389baa351bc5406477c036660b3a553e29ca17535
Dridex
1a129b53070e067ddf5073440679c8b155d99d2c0ee1cb6326dd025dcc4c5cb3
Dridex
4d722ed2510391ddcfc520cdfff4d6bd8d4f1366aa50a82a925fc6d35db5f388
Dridex
5f1ff93cf4eb1ec53402b5bb959a6fd1d4c94fed041606a39d7b334b699514ec
Dridex
996cf8f61a636f8c09e5919fe6426a28b3d5b6e7865a0e46294cc0085a9e83aa
Dridex
c7e28f0a0bfd22ba30414be8ecd3a48f9a0453693570994a88c5e50d67b8f492
Dridex
e8ecf8ebf7cf11d1637372f3b2abe0e63eaf6424756553536b98ddcce8dc4d0a
Dridex
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211214-t8tlcsgba9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xll 99afafb9edf09d9430d229df428dd5532de770adbfdb5aa798574607cb6b15a2

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments