MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82
SHA3-384 hash: 477176658a6699c1fd8313e2ed1dead2130a27daa02c61d07c2d950028e8308091ee8ce455028cc871e61df25e95bafb
SHA1 hash: b33219154cc6a9db3bb471693542c7982dc5be1a
MD5 hash: 4ef7ea6eb6f007e8f0ad9cd6243a21c5
humanhash: timing-football-winter-lemon
File name:4ef7ea6eb6f007e8f0ad9cd6243a21c5
Download: download sample
Signature Dridex
Create hunting rule
File size:618'496 bytes
First seen:2021-10-13 13:37:06 UTC
Last seen:2021-10-13 16:20:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 0bdeed4a70b8b1fd5924130bfe75d8bf (3 x Dridex)
ssdeep 12288:/uIBebwMtjp4CqwqyaXPLAfx38TW9DiWUT2tq017JGoLbiW/:mHb4wqyaDA5sTWiXT2tq07G23/
Threatray 858 similar samples on MalwareBazaar
TLSH T129D4F8013A54E821E7E955B6CF2AC6E85B183D48EFB1A4C778E17F0F2AA94F3D215305
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197218/
Detection(s):
SecuriteInfo.com.ML.PE-A.16295.1195.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware icedid wacatac
Link:
https://www.filescan.io/uploads/6166e13d1c2d58ba7404ccbe/reports/d75aa493-df8b-41ca-8883-dd37695ddad5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c148a3b-99ae-4ef7-9af6-fa8ba69204d5
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/869845
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Dridex e-Banking trojan
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502274 Sample: Pxnrz0DXD3 Startdate: 13/10/2021 Architecture: WINDOWS Score: 88 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Dridex unpacked file 2->33 35 2 other signatures 2->35 7 loaddll32.exe 13 2->7         started        process3 signatures4 39 Detected Dridex e-Banking trojan 7->39 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        15 rundll32.exe 7->15         started        17 rundll32.exe 7->17         started        process5 signatures6 19 rundll32.exe 12 10->19         started        41 Detected Dridex e-Banking trojan 12->41 process7 dnsIp8 23 174.128.245.202, 443, 49749, 49758 ST-BGPUS United States 19->23 25 51.83.3.52, 13786, 49750, 49769 OVHFR France 19->25 27 69.64.50.41, 49763, 49772, 49775 AS-30083-GO-DADDY-COM-LLCUS United States 19->27 37 System process connects to network (likely due to code injection or exploit) 19->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 13:38:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4x2ekldbc4fado3rq2fann673qhcfcr2ets36fwoywgbdqm7oba._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
gozi
Create hunting rule
Similar samples:
09cceb619174c99d026734f860f26cda0107af31b9153a9f7d6613c86fd57772
Dridex
55cbb43aad59d149ba4bc06684771b5d87a3f570da165437c4d07d442d4b8db7
Dridex
791252fc4def3c4c3bdb270633ffc88c0e2cd8e8e8ba299825a83841a273e7dd
Dridex
98b3fa8ad7143d6bfb754aeca00ded8ffe5789d7e4360f51841801906f5e5551
Dridex
9e39f4494952dfedc6608ebad6c832474045bfaba3ccbb69f8194a2681311eac
Dridex
a9653dacc87403855ff752ff34c6913f5c4f0aec5bfe2c83f95151c9e13d5ba4
Dridex
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
Dridex
b9bb671587f2dad8a3df83d6bd0b7b8327edf93fadbefe8b6aa7eabe6698ae88
Dridex
f14930c641c001377c3c4c468fc97ab43acde69287819c134d529d95c0fb7bb4
Dridex
fa8ed75cfc69a06cf1e809531f7371b5c75fd480339ae65568785b76387ceaa0
Dridex
+ 848 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10444 botnet discovery evasion trojan
Link:
https://tria.ge/reports/211013-qxdtzseaen/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blocklisted process makes network request
Dridex
Malware Config
C2 Extraction:
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Unpacked files
SH256 hash:
921a632ca94f896d484c059c1333885d50713cf566a67cf4499204ebc83f4c57
MD5 hash:
afbe61c39913418a25071d07ae3d1d09
SHA1 hash:
bf08bd0b0fce9904604ea7a19e6f19886330a96b
Link:
https://www.unpac.me/results/b2412fc8-2683-4107-bb67-d7987d4bb86e/
SH256 hash:
c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82
MD5 hash:
4ef7ea6eb6f007e8f0ad9cd6243a21c5
SHA1 hash:
b33219154cc6a9db3bb471693542c7982dc5be1a
Link:
https://www.unpac.me/results/b2412fc8-2683-4107-bb67-d7987d4bb86e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1674031/
  
URLhaus
https://urlhaus.abuse.ch/url/1674062/
  
URLhaus
https://urlhaus.abuse.ch/url/1673998/
  
URLhaus
https://urlhaus.abuse.ch/url/1674111/
  
URLhaus
https://urlhaus.abuse.ch/url/1673971/
  
URLhaus
https://urlhaus.abuse.ch/url/1674029/
  
URLhaus
https://urlhaus.abuse.ch/url/1674112/
  
URLhaus
https://urlhaus.abuse.ch/url/1674052/
  
URLhaus
https://urlhaus.abuse.ch/url/1674054/
  
URLhaus
https://urlhaus.abuse.ch/url/1674122/
  
URLhaus
https://urlhaus.abuse.ch/url/1673982/
Cape
Cape
https://www.capesandbox.com/analysis/197218/
  
URLhaus
https://urlhaus.abuse.ch/url/1674049/

Comments


Avatar
zbet commented on 2021-10-13 13:37:07 UTC

url : hxxps://marfra.ottimosoft.com/w530d0u.tar