MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7c74e4d190b77f63788a032c28c4c4a819edc736697152f0a3e217aba7f5e97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7c74e4d190b77f63788a032c28c4c4a819edc736697152f0a3e217aba7f5e97
SHA3-384 hash: 355241ce1b9b3bb2fea6c58ade8fc5d337cea9fa3e3a6dab3da885ed209eeea9351c90d265f870df72e859637732087f
SHA1 hash: 6e44a91a5da6b4d42688dab9f509a5627e7076f2
MD5 hash: d675588e03396ce464df0d1d329ec63c
humanhash: pizza-ink-lithium-india
File name:d675588e_by_Libranalysis
Download: download sample
Signature Dridex
Create hunting rule
File size:162'816 bytes
First seen:2021-04-28 20:39:41 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9e8b617b10ada8d5a1fd6f30540a87c8 (204 x Dridex)
ssdeep 3072:uM8CMtKJlXoDFwXrdV/9/uWIdojDZl4epTGmoAc7iTRilfn6wlYYRZwd:anClX8WZ7/HrRCADTR0VlDZw
Threatray 128 similar samples on MalwareBazaar
TLSH 07F3D0C2E7FFE0D6C42B743389DDB036EF5024988A3ACF35C504882E69D7954AB355A9
Reporter Libranalysis
Tags:Dridex


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/145226/
Detection(s):
Win.Malware.Dridex-9856077-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Dridex Dropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad.bank
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/701330
Signature
C2 URLs / IPs found in malware configuration
Dridex dropper found
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399584 Sample: d675588e_by_Libranalysis.dll Startdate: 28/04/2021 Architecture: WINDOWS Score: 88 31 66.113.160.126 HOSTWAYUS United States 2->31 33 78.46.73.125 HETZNER-ASDE Germany 2->33 35 185.148.168.26 EVERSCALE-ASDE Germany 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Dridex dropper found 2->41 43 3 other signatures 2->43 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 45 Tries to detect sandboxes / dynamic malware analysis system (file name check) 8->45 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 5 other processes 8->18 process6 signatures7 49 Tries to detect sandboxes / dynamic malware analysis system (file name check) 11->49 51 Tries to delay execution (extensive OutputDebugStringW loop) 11->51 20 WerFault.exe 20 9 11->20         started        22 WerFault.exe 9 14->22         started        24 WerFault.exe 2 9 16->24         started        26 rundll32.exe 18->26         started        29 WerFault.exe 3 9 18->29         started        process8 signatures9 47 Tries to detect sandboxes / dynamic malware analysis system (file name check) 26->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7c74e4d190b77f63788a032c28c4c4a819edc736697152f0a3e217aba7f5e97/
Threat name:
Win32.Trojan.Drixed
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 20:40:26 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47du4tizbn37mn4iuazmfdcmjkaz5xdtm2lrklykhyqxvot7l2lq._file
Verdict:
unknown
Similar samples:
02fa9fcf6243826c0a6115786977d5ad07c97e5db97eb4214169e5a63d8417cf
Dridex
03cd0d7589612b2f896853a161df161cdd1aee8ae80170b45123e6647859e600
Dridex
0e85608a12645902f3c1209138cfe8deeb9ad151bd13256ef5aae1770a620270
Dridex
2a70da7bc1f69a487d1c3c65dafee7ed5044131947adbe6d3e39f9d1ada0e762
Dridex
4038005774a07c760ac39840fcb7a5d81a687dcd7e6cef7a77e685e6e4b47289
Dridex
405ed7b6ae09c892b61645e9a885b3f46795dc53c4ccfe05e1b40a9ad104dcb7
Dridex
6529e934cd7406caa526be74dc8f3bbbf22470cae2c0fe6eab71d93d2782a6f7
Dridex
7693f81fc40b496fe1b0f459ca7566ce20d73c998b1003b112a5a8fe4db472c8
Dridex
89dbe847e2b690d523b79a4aa40975aed6a9347dcdcc5da2d72f76ab5e02026d
Dridex
fea251d981d4b1a712e77e580c1fedaf9acfb6374cad72ce4fc401a9f148f4eb
Dridex
+ 118 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22203 botnet evasion loader trojan
Link:
https://tria.ge/reports/210428-rywvt5k4kj/
Behaviour
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
78.46.73.125:443
185.148.168.26:2303
66.113.160.126:8172
Unpacked files
SH256 hash:
e7c74e4d190b77f63788a032c28c4c4a819edc736697152f0a3e217aba7f5e97
MD5 hash:
d675588e03396ce464df0d1d329ec63c
SHA1 hash:
6e44a91a5da6b4d42688dab9f509a5627e7076f2
Link:
https://www.unpac.me/results/7cff3803-dd8e-40b6-ab41-69a2e2f9bbcb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:MALWARE_Win_DLLLoader
Create hunting rule
Author:ditekSHen
Description:Detects unknown DLL Loader
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/145226/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 21:04:21 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing