MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0
SHA3-384 hash: b6ffb347316d3e51e48cb79796c6ef242bba45968cedc291520e126967f1578e5805c2f0a1bc0be3d1836f7f77164863
SHA1 hash: 30d948edd1e0b1c7866148d9f6fd559f478958b7
MD5 hash: 5b2c0056592ca09b3b130d557792d2b2
humanhash: cat-low-aspen-india
File name:Gift_Card-20513935.scr
Download: download sample
Signature Dridex
Create hunting rule
File size:1'022'232 bytes
First seen:2020-11-26 04:05:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:TY20AljdZgBPfKfxVST7whturB+1LtIcXFJ2VRQV5YoUNmOJYWjD2IZPMagG:k20gPgFKbE7ag+LlcnQjYoomwYWjf
Threatray 212 similar samples on MalwareBazaar
TLSH FC259C637A0A8C56C03353FD4050E3B997271F98E66692475AF0ED37FAD1A835E2E2C1
Reporter JAMESWT_WT
Tags:Dridex scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/547656
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 04:03:02 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=34xntengvns7fpafqbjxnxhtjxt75pc4lvftpvaakrxe4aozb7aa._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
24e9d45999add1dac491b4c3cfb55b77b95a46bc693eec9df56d6194b7fbe25e
Dridex
560478c5532f341407bed4a90de3f7a53bb36d500691f1f41e7d18a44f354f8a
Dridex
59bcb00ad3c245e8c5b1de2341cc494a469513019a972f874f775b2266cd5015
Dridex
79a3a7441a371606291f8bd47216a503b27a38ec61ba7604c9ba2597a54cc3d8
Dridex
83c390d82e19beec14d007b7350f4296c23ce9b3d131a3670ebb7424ad917410
Dridex
9f38af84820dc29e805029409bbb2a5765036775973e3898b6db1f66c1b47270
Dridex
b354b40413ec755a51a63ab930860d9078d9ad157f1f18b0d0c441d73bf6691c
Dridex
d554bef77e35bbaa325fc61e5bca1ae419f9b2222110c913eb09b9369563c061
Dridex
fa4745a9f86a7516cc6fdf77834b1b9ab83ba3a29743461eabe2bec180c9de86
Dridex
fd6f6c377f403f5faccf5c4bb03a0d5af94f7f57ac13572a42b187cdbda027cc
Dridex
+ 202 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet loader
Link:
https://tria.ge/reports/201126-edk3yjxk2j/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Loads dropped DLL
Dridex Loader
Dridex
Malware Config
C2 Extraction:
194.225.58.216:443
178.254.40.132:691
216.172.165.70:3889
198.57.200.100:3786
Unpacked files
SH256 hash:
df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0
MD5 hash:
5b2c0056592ca09b3b130d557792d2b2
SHA1 hash:
30d948edd1e0b1c7866148d9f6fd559f478958b7
Link:
https://www.unpac.me/results/53aeb0e9-61fe-451a-8923-0ac01a50dc4e/
SH256 hash:
5c92e662a38c94a7d6fdafff3c1c91200f09621bf80efc8a64afebe978710d44
MD5 hash:
4c36b74c0b96bc88e4e7f55d40dd04ce
SHA1 hash:
7c0d5918ea88237024e242317679f07437ceff67
Link:
https://www.unpac.me/results/53aeb0e9-61fe-451a-8923-0ac01a50dc4e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105579/

Comments