MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af642ae23696b4b2897ee3a5756c81a82eeb9071053a1eabbd4eeeb0eb05efca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af642ae23696b4b2897ee3a5756c81a82eeb9071053a1eabbd4eeeb0eb05efca
SHA3-384 hash: 626e830be5b2c59fd47ad3be7d9d5d7fdcb3c383f9f892f5be7b52f8680bead83484fb20253a0a36184559c1ec59f6b9
SHA1 hash: 2cfb5690c0d61c5043d906f830bbe408f874f7b9
MD5 hash: ea3d351a11b2b462b0993bf315634888
humanhash: orange-maine-pennsylvania-iowa
File name:ea3d351a11b2b462b0993bf315634888.dll
Download: download sample
Signature Dridex
Create hunting rule
File size:679'936 bytes
First seen:2021-10-14 18:26:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 4f594b3d8de797f24127c3ffc3b6f80b (1 x Dridex)
ssdeep 12288:5/0Qzqf0e/i48fM+6TFKywVt6PbEYU0eyJTT/Mu9oV01ujoaEP:p0zh/cn6TFKywvCbEOxDMu9oyNaEP
Threatray 886 similar samples on MalwareBazaar
TLSH T1DFE408013A40E821E7E55576CF2AC6E85B083D49EFB5A5CB78E17F0F2AA98F3D215301
Reporter abuse_ch
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197612/
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6168767afd35fe780c40b2e2/reports/4c8e297f-09e0-40fd-85be-f8ee6673f4d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7125d62d-dbbc-475b-8719-eaf08172ee91
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/870718
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503147 Sample: TBgDCB5Py8.dll Startdate: 14/10/2021 Architecture: WINDOWS Score: 80 27 Found malware configuration 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected Dridex unpacked file 2->31 33 2 other signatures 2->33 7 loaddll32.exe 13 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 12 9->17         started        dnsIp6 21 174.128.245.202, 443, 49761, 49771 ST-BGPUS United States 17->21 23 51.83.3.52, 13786, 49762, 49782 OVHFR France 17->23 25 69.64.50.41, 49770, 49784, 49786 AS-30083-GO-DADDY-COM-LLCUS United States 17->25 35 System process connects to network (likely due to code injection or exploit) 17->35 signatures7
Detection:
dridex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af642ae23696b4b2897ee3a5756c81a82eeb9071053a1eabbd4eeeb0eb05efca/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 18:27:07 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
gozi
Create hunting rule
Similar samples:
2fc3cb59c6857ff712e6fb5f29536a51962edd2ef374e6f2cd18c9145d275c9f
Dridex
6b34671b04872cfde098c319f20693021a43ddb8b00f989669778e745e5232a4
Dridex
8243d4138835db46bef1051fd0b396a110968deb97078b07fbd6ab60b6cc3bc3
Dridex
857b5c1209e2bec7dda0c80b92123f4ceb15f8c560f23551804e4bd09b94e901
Dridex
91c376e46a03fd60bd99fac07389eea32d1098ee23ac154aedd90025bc64528a
Dridex
96b51e628389b4044eb4c4d262deadbcfa778db13a7768ab7806b0e1f81d2ebf
Dridex
b6bd8479ef5943eaf26efdcda11ab09bf0569ad2295ba905fc0901511ca7c286
Dridex
ca93714ecbd8d40896d6c4c49cda2fc03750ebf334a26418ef960571006d8b5c
Dridex
de81f923ca4c12378688a8e26fbb0ec11d69d35f509cff7815fd3d4bc9bb0f59
Dridex
ffd6ae5e716b2cade6d3365fb9440a5a67f37d3c249d78bdea9e5ef3d39ce52c
Dridex
+ 876 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10222 botnet discovery evasion trojan
Link:
https://tria.ge/reports/211014-w3r7fsahdk/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blocklisted process makes network request
Dridex
Malware Config
C2 Extraction:
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Unpacked files
SH256 hash:
09d4522a5abc05c643664055c425eaf61c41618716fb0018cb3091a1efe427ea
MD5 hash:
1d9c6262d2aa2b5366b41170dff48e6f
SHA1 hash:
1d89e04246e7b435608148f8270943045b82f651
Link:
https://www.unpac.me/results/08199c30-ec2c-4a59-84f5-534b5926c353/
SH256 hash:
af642ae23696b4b2897ee3a5756c81a82eeb9071053a1eabbd4eeeb0eb05efca
MD5 hash:
ea3d351a11b2b462b0993bf315634888
SHA1 hash:
2cfb5690c0d61c5043d906f830bbe408f874f7b9
Link:
https://www.unpac.me/results/08199c30-ec2c-4a59-84f5-534b5926c353/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af642ae23696b4b2897ee3a5756c81a82eeb9071053a1eabbd4eeeb0eb05efca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll af642ae23696b4b2897ee3a5756c81a82eeb9071053a1eabbd4eeeb0eb05efca

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1674035/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1674038/
Cape
Cape
https://www.capesandbox.com/analysis/197612/

Comments