MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0b22ae087511553366f2c9292424f5f3bebbbe621ed54a91d52b9f8d96f594e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Dridex

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	d0b22ae087511553366f2c9292424f5f3bebbbe621ed54a91d52b9f8d96f594e
SHA3-384 hash:	f927c5b3709858858409a267d3aec2d16c142a0c6c158d57e7fbf103d97e7a1369f7406d8fb5e422d661831a0a06d604
SHA1 hash:	661e3877b2241dc4b5242cb8099499cc5e616893
MD5 hash:	1500424ddb5f27686a64dbeec27f56fe
humanhash:	east-coffee-romeo-pip
File name:	vl5zt37bpdf
Download:	download sample
Signature	Dridex Create hunting rule
File size:	742'744 bytes
First seen:	2020-10-01 13:31:19 UTC
Last seen:	2020-10-01 15:51:34 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	59b4d90ccd42d8a41fe8c5f5161ddef8 (2 x Dridex)
ssdeep	12288:MXul/0MvQL9lFG1oMKv5qfHU2aaC1QDlKtwU5rm4ik:IYcIIFG1oLv5qf7XC1Q8uU5rma
Threatray	6 similar samples on MalwareBazaar
TLSH	F8F4DEB8FAE2F4D7D14A28B886AD1D1B1DBD8D815236F91F7ACDF09C4A61F51B700A01
Reporter	JAMESWT_WT
Tags:	Dridex

Code Signing Certificate

Organisation:	INPESRTCVCBHTFAXMU
Issuer:	INPESRTCVCBHTFAXMU
Algorithm:	sha1WithRSA
Valid from:	Sep 30 12:13:25 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	607DB023EC8A4C924A28C14C60B5F5F9
Thumbprint Algorithm:	SHA256
Thumbprint:	254C1D32ADADFD2908E9D2158373BF8784D2E7DBFEE12E01336E1AD66E3B1E21
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67404/

Detection(s):

SecuriteInfo.com.BScope.TrojanRansom.Shade.11303.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/479351

Signature

A

b

c

d

e

f

i

l

M

n

o

r

S

t

u

V

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d0b22ae087511553366f2c9292424f5f3bebbbe621ed54a91d52b9f8d96f594e/

Threat name:

Win32.Infostealer.Dridex

Status:

Malicious

First seen:

2020-10-01 13:33:07 UTC

File Type:

PE (Dll)

Extracted files:

35

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Label(s):

dridex

Similar samples:

2dc73ab125bbcfcaa2ad81debaa45da08adcfe021761d04c606812bf3748df68

30ddf8d34671494f41ef339a36a9a91d8593a297c299c16603c73e1842486284

63edc4ccc3345880ec3dd6e74360b45a0fa1e9b3147c21d245557ee0721fc347

93a47f8cffdd7f69d020813a390ffcf3bf850a5e53d398feba160f8efd2b5c43

b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c

fa4745a9f86a7516cc6fdf77834b1b9ab83ba3a29743461eabe2bec180c9de86

Result

Malware family:

dridex

Score:

10/10

Tags:

botnet loader evasion trojan discovery family:dridex

Link:

https://tria.ge/reports/201001-7yg1pnbn82/

Behaviour

Suspicious use of WriteProcessMemory

Checks installed software on the system

Checks whether UAC is enabled

Blacklisted process makes network request

Dridex Loader

Dridex

Malware Config

C2 Extraction:

146.164.126.197:443
69.16.193.166:9443
193.90.12.122:3098
157.245.103.132:14043

Unpacked files

SH256 hash:

d0b22ae087511553366f2c9292424f5f3bebbbe621ed54a91d52b9f8d96f594e

MD5 hash:

1500424ddb5f27686a64dbeec27f56fe

SHA1 hash:

661e3877b2241dc4b5242cb8099499cc5e616893

Link:

https://www.unpac.me/results/6da277ca-c33a-439c-99a6-01ed445cbe52/

SH256 hash:

5181f4b9080079dfd693f100fe41394fad318867905c3c9edfc8962cc40786b7

MD5 hash:

84dfcdf35bab5089f7a7a5b84a46ae3a

SHA1 hash:

cced845b87873836aebe3e073f4dbb60f12f4575

Link:

https://www.unpac.me/results/6da277ca-c33a-439c-99a6-01ed445cbe52/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d0b22ae087511553366f2c9292424f5f3bebbbe621ed54a91d52b9f8d96f594e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll d0b22ae087511553366f2c9292424f5f3bebbbe621ed54a91d52b9f8d96f594e

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/67404/

URLhaus

https://urlhaus.abuse.ch/url/635343/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/635346/

URLhaus

https://urlhaus.abuse.ch/url/635347/

URLhaus

https://urlhaus.abuse.ch/url/635348/

URLhaus

https://urlhaus.abuse.ch/url/635349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample