MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
SHA3-384 hash: c82c8c14c6fbbf291983decd81ae8aeb75515d18dbb410d4b8c655102176fc90b0816b5416e6b32e067752e9500b62d6
SHA1 hash: c07c8a0ad5a7255967bd843f81160b59ddeba8ce
MD5 hash: 93bb6e22daed74acd13a9bdc6bcf2f4f
humanhash: may-hotel-speaker-edward
File name:c5n7358pdf
Download: download sample
Signature Dridex
Create hunting rule
File size:658'432 bytes
First seen:2020-09-28 13:47:07 UTC
Last seen:2020-09-28 14:46:14 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a1e143b2e053053939de11c2c29c7d7f (1 x Dridex)
ssdeep 12288:vJuCiXptOpGJ95MRYqsiSgOmO7dal70e1iZGZTBgq4PP:vkCm2pE5MRps5h+03GT4
Threatray 16 similar samples on MalwareBazaar
TLSH A2E4AFA079C3C07AF17616364D28C6B54A6DFD488B3548EF63D55F6E4A3A2C24E30F62
Reporter JAMESWT_WT
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66429/
Detection(s):
SecuriteInfo.com.Generic.mg.93bb6e22daed74ac.29705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/476461
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290689 Sample: c5n7358pdf Startdate: 28/09/2020 Architecture: WINDOWS Score: 68 20 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Machine Learning detection for sample 2->24 6 loaddll32.exe 1 2->6         started        process3 process4 8 rundll32.exe 12 6->8         started        12 rundll32.exe 6->12         started        14 rundll32.exe 6->14         started        16 rundll32.exe 6->16         started        dnsIp5 18 67.79.105.174, 3786, 49717, 49719 TWC-11427-TEXASUS United States 8->18 26 System process connects to network (likely due to code injection or exploit) 8->26 signatures6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-09-28 13:43:03 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
06dd35ce0c9b164f9ecafc4269d91fb8a23634d541ec455dfcd4dcd624523f4b
Dridex
23be804db20cb450cf53fc82143ac34b9e741035c511af3e5c9880e7b3a70b3a
Dridex
2dc73ab125bbcfcaa2ad81debaa45da08adcfe021761d04c606812bf3748df68
Dridex
530001e38045813d7276694c428b64b4dc5a15b77f2b3cc757f64b8d34bcf815
Dridex
6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132
Dridex
74c2d430eb964fbf5b3a1e37bb6f8770e571ef8998f71d945a479bba4a42d2cc
Dridex
9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0
Dridex
a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
Dridex
c91847b9b00dddebd4f694412f2cc4c7346c15aa3cda2da856d9b0860a17ec50
Dridex
d67e1fd5d40e841c1aedbbf65d5f72a69da5ac54e48ae92da1f428c9f18d8363
Dridex
+ 6 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
botnet loader evasion trojan discovery family:dridex
Link:
https://tria.ge/reports/200928-gapfbr462s/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blacklisted process makes network request
Dridex Loader
Dridex
Malware Config
C2 Extraction:
67.79.105.174:3786
51.83.96.87:443
192.175.111.212:14043
45.79.226.106:3098
Unpacked files
SH256 hash:
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
MD5 hash:
93bb6e22daed74acd13a9bdc6bcf2f4f
SHA1 hash:
c07c8a0ad5a7255967bd843f81160b59ddeba8ce
Link:
https://www.unpac.me/results/4f2fd6dc-f048-4b0e-8ad5-83237d66c3d3/
SH256 hash:
9347ab317eacf63e342fd375f91ff67809a7bdc62a15d2c76656afa83cafa8d9
MD5 hash:
c9c0e5d75fffd524905db4218ac5a734
SHA1 hash:
13a56cdfc71b24572e110339abd2ffb139b2aebe
Link:
https://www.unpac.me/results/4f2fd6dc-f048-4b0e-8ad5-83237d66c3d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/616204/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/616206/
  
URLhaus
https://urlhaus.abuse.ch/url/616205/
  
URLhaus
https://urlhaus.abuse.ch/url/616209/
  
URLhaus
https://urlhaus.abuse.ch/url/616207/
  
URLhaus
https://urlhaus.abuse.ch/url/616208/
  
URLhaus
https://urlhaus.abuse.ch/url/616211/
  
URLhaus
https://urlhaus.abuse.ch/url/616215/
  
URLhaus
https://urlhaus.abuse.ch/url/616217/
  
URLhaus
https://urlhaus.abuse.ch/url/616216/
  
URLhaus
https://urlhaus.abuse.ch/url/616220/
  
URLhaus
https://urlhaus.abuse.ch/url/616221/
Cape
Cape
https://www.capesandbox.com/analysis/66429/

Comments