MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba2a7bb8360874758eace96f834b60c1f0f43be5724fab00ffd8027daddab372. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba2a7bb8360874758eace96f834b60c1f0f43be5724fab00ffd8027daddab372
SHA3-384 hash: 98a3547692320845dca9dee93999fb4e7ed3c687deffce0dd5a08c14eeb874f5475bfd0c618375ce1902818b9bb6bbdd
SHA1 hash: f60d1517b20dda9f3f26673f1331a5abb0b30249
MD5 hash: 437145f1857866db0e7673648adb5766
humanhash: juliet-sodium-four-video
File name:invo_761932.xls
Download: download sample
Signature Dridex
Create hunting rule
File size:94'720 bytes
First seen:2020-03-31 17:30:01 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:7TfY35NAYJl/OrMCp8pxWhZFGkE+cL23dAGZYszt0DL4KFDcX3Vp018mZ:77Y35NAYJl/OrMCp8pxWhZFGkE+cL23z
TLSH BC9393CA6B55DE75DB11D3308DDE82A05320DC10AB5F4BC33684B2397FB99B09E825CA
Reporter abuse_ch
Tags:Dridex xls


Avatar
abuse_ch
Dridex malspam emitted from GMX mailservers (compromised email accounts?):

HELO: mout.gmx.net
Sending IP: 212.227.17.20
From: Mair Eryn <Rosaura.Rafiq8527633@gmx.com>
Subject: Invoice Due #761932
Attachment: invo_761932.xls

Dridex payload delivery URLs:
http://fikima.com/axel.exe
http://lonoth.com/jokx.exe
http://bellque.com/axel.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xls ba2a7bb8360874758eace96f834b60c1f0f43be5724fab00ffd8027daddab372

(this sample)

Dridex

Executable exe 6a05f362aa3b7f597181f694af55d4bddff4cf3e54798dae7fe884dd1faa0494

  
URLhaus
https://urlhaus.abuse.ch/url/332764/
  
URLhaus
https://urlhaus.abuse.ch/url/332766/
  
URLhaus
https://urlhaus.abuse.ch/url/332770/
  
Dropping
MD5 9664f0bfe2808c95b4bf6e828ded2e83
  
Dropping
SHA256 6a05f362aa3b7f597181f694af55d4bddff4cf3e54798dae7fe884dd1faa0494
  
Dropping
Dridex
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6a05f362aa3b7f597181f694af55d4bddff4cf3e54798dae7fe884dd1faa0494

Comments


Avatar
commented on 2020-03-31 17:42:53 UTC

Dridex C2s:
185.47.129.30:443
158.69.234.15:691
87.106.7.163:3886
107.170.158.58:1443