MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b
SHA3-384 hash: aa13e2bc19bca8d0412de208b969cf22b830bcc676f9fa8c82690f3f6b331d78e57a4b8568205f21aa8c7218102c1420
SHA1 hash: 217316d0d637d818e2d2d22397222d715ed7b64c
MD5 hash: cdf3b326951bd5cd55254e5599302183
humanhash: india-gee-idaho-delaware
File name:cdf3b326951bd5cd55254e5599302183
Download: download sample
Signature Dridex
Create hunting rule
File size:487'424 bytes
First seen:2021-12-06 14:33:33 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 03540fe05cb0473f2f956a0d0a682262 (12 x Dridex)
ssdeep 12288:j7fimEsIsmY4K08oM1Wd8t5KQhNdv5z+:j7aVRBn7x6jt0
Threatray 5'558 similar samples on MalwareBazaar
TLSH T1CBA4AF469916A00DE80DA43DB24CB29AE9F862F7F57861F3542EB33E2DD30928F17459
Reporter zbetcheckin
Tags:32 dll Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211825/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.6599.2413.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
dridex greyware packed
Link:
https://www.filescan.io/uploads/61ae1f5e4d8e6f3a5e149d8c/reports/f1247fa1-a3fb-46fb-9dbe-b8139f5ce729/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7659cd6b-789e-4664-9481-9d4d8973a09f
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/902348
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 534828 Sample: Y1dPOv8Iyl Startdate: 06/12/2021 Architecture: WINDOWS Score: 72 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Dridex unpacked file 2->27 29 2 other signatures 2->29 8 loaddll32.exe 13 2->8         started        process3 dnsIp4 17 23.246.204.126, 443, 49745, 49751 SOFTLAYERUS United States 8->17 19 172.105.78.60, 4664, 49750, 49754 LINODE-APLinodeLLCUS United States 8->19 21 3 other IPs or domains 8->21 11 cmd.exe 1 8->11         started        process5 process6 13 rundll32.exe 11->13         started        process7 15 WerFault.exe 23 9 13->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 14:34:13 UTC
File Type:
PE (Dll)
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
6d22c025dfc9ae47f722194f0c139b393e538c9ed467557476be20f19d7e7089
Dridex
6e2c1bfe691c3b9ae8d63f04fb1c129c7935c8a02ea04a45511f582d4155a2ba
Dridex
7dd71dac4d68a8d49db4b0077f38225b597591ee52f96fd832acfa552d166979
Dridex
82b59ec5899809d0e8bab3cbf8775d994af9cfb9213d1b3650032d263ebcba05
Dridex
b7c8fa282d0db4cb510325a4183dae5fd229b2e4f47b827a2d3cddd8889feb41
Dridex
d301deccc78473443431e5dbfd9bf820d0659a5b747adf64ee2d178084cfabf8
Dridex
dc764bcf7c82b8e21be4e6ab57217dea8edce6259c724f5605546e50549a2b99
Dridex
e023351c103b63084b21d7d0051001caab0643fc7b39f2a5b168c5e923af6430
Dridex
+ 5'548 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10444 botnet loader
Link:
https://tria.ge/reports/211206-rxexqahbe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Malware Config
C2 Extraction:
23.246.204.126:443
151.106.39.36:8116
103.124.144.123:6891
172.105.78.60:4664
Unpacked files
SH256 hash:
2a45c2297e7a981e4abb6f18b5fdb2f27423204f806eefb18c7de1702cb625ab
MD5 hash:
49cd513cb7836914a661158b73720548
SHA1 hash:
761e4fe65df85d2e5fb8a2886f20ffad68867fb5
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/87beecec-1774-4cab-bb71-902eef6a6d49/
Parent samples :
618f667994e6c2947c6d3c646cc9ae264b9111f768625cbde00b155fa9d4e9f3
d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b
7e4eb05983026790d6874df967ef5d1d00fcea1e2841a8f7d333b727d3d8dcf4
SH256 hash:
ec162e2c5fbfde7830381c4518874bf5905daf945fa0b5d403d4a72f9bf9768e
MD5 hash:
e4690edd25b7791fb564585097dc6fdf
SHA1 hash:
c22fef971bb309b437fe7a0e9b17c518e49b222e
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/87beecec-1774-4cab-bb71-902eef6a6d49/
Parent samples :
618f667994e6c2947c6d3c646cc9ae264b9111f768625cbde00b155fa9d4e9f3
d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b
7e4eb05983026790d6874df967ef5d1d00fcea1e2841a8f7d333b727d3d8dcf4
fa6aea596a04b6bd957babd156bbd40cafa2b0662390cc2fd30953fb48ec61fc
SH256 hash:
d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b
MD5 hash:
cdf3b326951bd5cd55254e5599302183
SHA1 hash:
217316d0d637d818e2d2d22397222d715ed7b64c
Link:
https://www.unpac.me/results/87beecec-1774-4cab-bb71-902eef6a6d49/
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d0681c030a51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll d0681c030a51811edc6f19b6cc418043ef928e251c681cdf75a05949f932340b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1859135/
  
URLhaus
https://urlhaus.abuse.ch/url/1859140/
  
URLhaus
https://urlhaus.abuse.ch/url/1859141/
  
URLhaus
https://urlhaus.abuse.ch/url/1859139/
  
URLhaus
https://urlhaus.abuse.ch/url/1859153/
  
URLhaus
https://urlhaus.abuse.ch/url/1859143/
  
URLhaus
https://urlhaus.abuse.ch/url/1859166/
  
URLhaus
https://urlhaus.abuse.ch/url/1859151/
  
URLhaus
https://urlhaus.abuse.ch/url/1859149/
  
URLhaus
https://urlhaus.abuse.ch/url/1859152/
  
URLhaus
https://urlhaus.abuse.ch/url/1859160/
Cape
Cape
https://www.capesandbox.com/analysis/211825/
  
URLhaus
https://urlhaus.abuse.ch/url/1859163/
  
URLhaus
https://urlhaus.abuse.ch/url/1859179/
  
URLhaus
https://urlhaus.abuse.ch/url/1859241/
  
URLhaus
https://urlhaus.abuse.ch/url/1859237/
  
URLhaus
https://urlhaus.abuse.ch/url/1859246/
  
URLhaus
https://urlhaus.abuse.ch/url/1859254/
  
URLhaus
https://urlhaus.abuse.ch/url/1859266/
  
URLhaus
https://urlhaus.abuse.ch/url/1859273/
  
URLhaus
https://urlhaus.abuse.ch/url/1859270/
  
URLhaus
https://urlhaus.abuse.ch/url/1859283/
  
URLhaus
https://urlhaus.abuse.ch/url/1859292/
  
URLhaus
https://urlhaus.abuse.ch/url/1859302/
  
URLhaus
https://urlhaus.abuse.ch/url/1859131/
  
URLhaus
https://urlhaus.abuse.ch/url/1859167/
  
URLhaus
https://urlhaus.abuse.ch/url/1859284/
  
URLhaus
https://urlhaus.abuse.ch/url/1859154/

Comments