MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2
SHA3-384 hash: a7dc766e1879c526374ff704f6861401276562efff3d835241c3c6c888c720a135b49658319743f6b903cdec20b0018a
SHA1 hash: e0c8d2f10a710f327b21c4bac96bbc4fe402c293
MD5 hash: 3370f93697f67941163e9f5abd9c8cc9
humanhash: emma-johnny-georgia-failed
File name:ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2
Download: download sample
Signature Dridex
Create hunting rule
File size:204'800 bytes
First seen:2021-02-25 13:34:06 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e32b55d8b41291a69aba4751d41cfc12 (3 x Dridex)
ssdeep 3072:BpidOjhJ5SosQnVbktFbTPhMIsbv6kA1FOaik8CSxZ8aRyRfY:BpiwjNSAAtxCTHw
Threatray 122 similar samples on MalwareBazaar
TLSH 52149D16EEA76F84FD9204FE39E862970D70FC509831D40A21E1339E68FE91B5E5076E
Reporter Cryptolaemus1
Tags:10444 Dridex


Avatar
Cryptolaemus1
Dridex 204

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119231/
Detection(s):
Win.Packed.Drixed-9817676-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Dridex Dropper
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/618735
Signature
C2 URLs / IPs found in malware configuration
Dridex dropper found
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 15:17:04 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1d4b85e1b491f06bde4c24dba1add4699ba5cebae563eda46aed25b085a139a7
Dridex
39a05f74f92f6552734c04faebde326200f02f60b5c10a1062195a04ab94da8d
Dridex
538dbb8edaeba882aaf0b8f624a043699dd7544784352352a3b2b28ab6bad8e1
Dridex
75696d0d13749306f8dbb5818e181ea2093e166189b480b3c58c4ceb8770d064
Dridex
7db09fec761120eba416f2047447c5c3f0954f39ca5ed26086e099c28bd349bf
Dridex
8d00cb0248e3933ec12d2e303c058d0dd83eea88fc9191c4ad6a9afaeeb092dd
Dridex
9407254f8870565c27d6f5328a8b517a2a4788174da2880d0f2e33c6890077b3
Dridex
9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd
Dridex
f6958b6419aa600cedccb269ab7727319c7bab43bf0a99f5e2a3e9e2565b27e0
Dridex
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
Dridex
+ 112 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:204 botnet loader
Link:
https://tria.ge/reports/210225-36h663ragn/
Behaviour
Suspicious use of WriteProcessMemory
Dridex Loader
Dridex
Malware Config
C2 Extraction:
62.138.14.216:3074
46.4.83.131:3389
195.231.69.151:3889
198.211.118.187:3388
Unpacked files
SH256 hash:
e4f9bf320912275aa9c4a568118d4c61ace41ce9c9acababb51e29b388303c36
MD5 hash:
cae017c8ace10e093e5ce9e8b6451c58
SHA1 hash:
9d5cf76288bb2a957cfbd51ea5cd8070eb48e215
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e583006-f147-4c68-bccd-07148ff2f9bc/
Parent samples :
9407254f8870565c27d6f5328a8b517a2a4788174da2880d0f2e33c6890077b3
7db09fec761120eba416f2047447c5c3f0954f39ca5ed26086e099c28bd349bf
ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2
SH256 hash:
7b98720e9df235bbb14bac91d113a195f8531d55bb6bab1607a3a2ac3cdde62b
MD5 hash:
b8982c8a51c9685cd29eaada046e0fce
SHA1 hash:
7a4bde8f653ca95fd569ae41dec0f965f3c275dd
Link:
https://www.unpac.me/results/2e583006-f147-4c68-bccd-07148ff2f9bc/
SH256 hash:
ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2
MD5 hash:
3370f93697f67941163e9f5abd9c8cc9
SHA1 hash:
e0c8d2f10a710f327b21c4bac96bbc4fe402c293
Link:
https://www.unpac.me/results/2e583006-f147-4c68-bccd-07148ff2f9bc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:MALWARE_Win_DLLLoader
Create hunting rule
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll ac91022e04b4cd528d5cef6bdcc7e9ccaeb368ae1533c06e8f30579f2e71bbd2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/119231/
  
URLhaus
https://urlhaus.abuse.ch/url/935580/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/935583/
  
URLhaus
https://urlhaus.abuse.ch/url/935587/
  
URLhaus
https://urlhaus.abuse.ch/url/935605/
  
URLhaus
https://urlhaus.abuse.ch/url/935612/
  
URLhaus
https://urlhaus.abuse.ch/url/935617/
  
URLhaus
https://urlhaus.abuse.ch/url/935615/
  
URLhaus
https://urlhaus.abuse.ch/url/935623/
  
URLhaus
https://urlhaus.abuse.ch/url/935625/
  
URLhaus
https://urlhaus.abuse.ch/url/935628/
  
URLhaus
https://urlhaus.abuse.ch/url/938655/
  
URLhaus
https://urlhaus.abuse.ch/url/935629/

Comments