MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c749e76dc4c135b3e3f87eac42b6aae70a8efec197f9d311917a665697c1bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c749e76dc4c135b3e3f87eac42b6aae70a8efec197f9d311917a665697c1bbd
SHA3-384 hash: a95de7e211a531fd6184b4abf4b97f4318dbe9544ccb56b32e9a5ea80a12ef6ef20692880bef10d53a122610a8c2c51f
SHA1 hash: 5ca5372a17171bfbfc550c48537caaf5770c85bc
MD5 hash: cd4f23dbb8f79ad8ed0c9205f2e6a32b
humanhash: table-five-bakerloo-low
File name:ipsl.exe
Download: download sample
Signature Dridex
Create hunting rule
File size:208'896 bytes
First seen:2020-04-01 14:18:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e67b08549f1fefd156c2e399a725cb34 (1 x Dridex)
ssdeep 6144:1KXPrWMPfq17toEEFN/rTG3zDgqdQjW5BHu:10PrWMq1+ZFNzTWBH
Threatray 305 similar samples on MalwareBazaar
TLSH AC141210E3777158D353467563FFE38BAB996A52CB208E54EF4E3957FE207902287502
Reporter abuse_ch
Tags:Dridex exe


Avatar
abuse_ch
Dridex malspam campaign sent via GMX mailservers:

XLS->URL->EXE

Dridex payload delivery domains:
volork.com A 47.254.69.137
zigite.com A 47.254.69.137

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.10318.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 14:35:30 UTC
File Type:
PE (Exe)
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tr2j45w4jqjvwpr7q7vmik3kvzykr37mdf7z2mizc6tgk2l4do6q._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
emotet
Create hunting rule
Similar samples:
33f58c125b2149fd2d4ab64d7014ba25b423bd8f190b0aac13e0de8c88049684
Dridex
3d0f043627dea5de72eae3fd54dd228dcc4320e8802200dbf21bcbe1cce0bf4a
Dridex
41a3586da1ade6096a5d254c93d071ed5bdd702ddbff61b5db3473495de412e6
Dridex
5528a39d6f2ca52ad81f936c75e2036cb91d0e88824f7a5abd67a601314b66bb
Dridex
6067b4d4febf1c025385eab5f40934d1ffe00e3ce2d6f5bb8f6481689d48ae72
Dridex
78839fce69215d10637ea20a38b1108b8e69719e8ac53b79b0f34d30d6b340a0
Dridex
809dd9df68daf8e93c2b15309aad4401aa1c7a30f727caa5cc7b2cc46aca8664
Dridex
aa4d510f35a686b54ce2a26ae399ef7e9dccc1846b561fd741cf2469b6a77fb4
Dridex
ce90df48bfadeec34a0e41e19bb140fda94c59fe3d27095b517da6bba4f9eeb3
Dridex
ec9f6a70899278d8eecd7c501971b8381b9ef9affae659521f1e5009be15abc7
Dridex
+ 295 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dridex_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/333372/
  
Delivery method
Distributed via e-mail link

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW

Comments