MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152
SHA3-384 hash: ea858983a1a3fe9600a0d73332f8e9a036c9521a1e24cd2b68dd92208c9eb0a8201ba4f5779f9ac5a05cfbcf94ea0dbd
SHA1 hash: 392166274dbfa8740d96c2dfd213a2965e6527a6
MD5 hash: db4371051ad72f81022ff9e5182ad197
humanhash: lemon-venus-oxygen-virginia
File name:db4371051ad72f81022ff9e5182ad197.exe
Download: download sample
Signature Dridex
Create hunting rule
File size:4'311'728 bytes
First seen:2020-12-22 12:25:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 98304:oKmX93tKmb8BabnfiS1tvY0dV+d5Mq8yjP3YwoDl9s9N:oiS1Q8d6N
Threatray 10 similar samples on MalwareBazaar
TLSH C7169D543C63352F35A900B499D626EA81DA30895A34173BACE35A7CF54CE8B7CDF4B2
Reporter abuse_ch
Tags:Dridex exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db4371051ad72f81022ff9e5182ad197.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-22 12:32:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe27d347-284f-44dc-b450-6238ac40a590

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108845/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.15597.7479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/568413
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333278 Sample: eHGJVl2L94.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 56 26 Multi AV Scanner detection for submitted file 2->26 28 Machine Learning detection for sample 2->28 7 eHGJVl2L94.exe 3 2->7         started        process3 file4 20 C:\Users\user\AppData\...\eHGJVl2L94.exe.log, ASCII 7->20 dropped 30 Injects a PE file into a foreign processes 7->30 11 eHGJVl2L94.exe 1 7->11         started        signatures5 process6 process7 13 WerFault.exe 23 9 11->13         started        16 WerFault.exe 2 9 11->16         started        18 conhost.exe 11->18         started        file8 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->24 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-22 12:26:06 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46rc34gbxrwp4eunroap7hpn6dqwpfjafu74wqdxqrtdmuydkfja._file
Verdict:
unknown
Similar samples:
0920951a2739c975661a70c9a7532d65a0abe3d8cee5d476af53b2b60cb63bd3
Dridex
0f1041b467af3226201156a62add3a6ad84f753b6a9d64097540569dfd8348e7
Dridex
1ef6094514b3aeb5b99aa24f1ac9297004fbd7fc509171e3e501e5effad6ecfe
Dridex
4fbea091009ae3c79eae3794ef4477055b3e8902e08a8565ef25f90489a2f08c
Dridex
4fcb20f32c0c827e9f3977a2874dd0acc7163dedcddf56004e03a38a53d720f9
Dridex
57efc1dfb758d4ed2c550e44ac01e93c71d2eaf7b0d8b4b7fd364d6f5069d9e8
Dridex
bbdbb7ca68c199a7b030b900434d79f3fe59ab20fdb4ed910609fc5f91599c57
Dridex
d6f4a9224a002a3e247cd5453775f721fc6a040db9df38e59cd4d9575222ffac
Dridex
f04d5b287971f60d5f04b262f3714a790b7d7c9b591ab88faa1d1f5244792d09
Dridex
fb1c77156c32d3643f2b21550110a48c3bbf869d2f0aa099b7400646e1fcaeb5
Dridex
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201222-9j5wd1zfxa/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c75ae7d335350e984adc503ea2e71cfa493e56c94cf552df0c063d4d905214b3
MD5 hash:
91d55cfa4cd732f85cde6dd084f17f46
SHA1 hash:
43ced338a5334825a7d8999c3a76ec9ec1400890
Link:
https://www.unpac.me/results/fb19ab17-d0c8-4a90-88ca-58d8e3e668b2/
SH256 hash:
5e093ea1a9326916a378784d0d3ea2275dd69c8122c69dcde9d904972654a9b2
MD5 hash:
8c95292c12313c77fc5cf4174c26371a
SHA1 hash:
df43573401ff1fe3aee850fc5235fd10925dfddb
Link:
https://www.unpac.me/results/fb19ab17-d0c8-4a90-88ca-58d8e3e668b2/
SH256 hash:
e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152
MD5 hash:
db4371051ad72f81022ff9e5182ad197
SHA1 hash:
392166274dbfa8740d96c2dfd213a2965e6527a6
Link:
https://www.unpac.me/results/fb19ab17-d0c8-4a90-88ca-58d8e3e668b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe e7a22df0c1bc6cfe128d8b80ff9dedf0e16795202d3fcb407784663653035152

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938105/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108845/

Comments