MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e84bdf9aa0e18218c7233e7e290dcd49d587e8b59c5fa214f636317ea1d00e8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e84bdf9aa0e18218c7233e7e290dcd49d587e8b59c5fa214f636317ea1d00e8e
SHA3-384 hash: df8ba40d0a0478ce597d9665e2d318268b34d0510891f453226127714b36c11971e6561d6faa24735872386932f07a28
SHA1 hash: a21fe333887e937ba6ca290abf5bff78de2d398e
MD5 hash: 7ff0c12b1a8d867c2bc1da7c319fe1f6
humanhash: eleven-alpha-lion-low
File name:e84bdf9aa0e18218c7233e7e290dcd49d587e8b59c5fa214f636317ea1d00e8e
Download: download sample
Signature Dridex
Create hunting rule
File size:827'392 bytes
First seen:2020-11-10 11:40:55 UTC
Last seen:2024-07-24 22:31:51 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 96927a99699f680c7045d444b5e2e2ca (13 x Dridex)
ssdeep 24576:W+UxGSHd8cik3CJr0zuISZVKnigKdNCXl:W+CdYE4wunuh4
Threatray 55 similar samples on MalwareBazaar
TLSH 0F05D07482FDC315E1AB95F5F9E10CA00525F4268E369ACF2229812A547A6F53CF4B3F
Reporter seifreed
Tags:Dridex

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Bankerx-9787378-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Searching for the window
Creating a window
Changing a file
Forced system process termination
DNS request
Sending a custom TCP request
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/528564
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313385 Sample: gqJYFErT1Y Startdate: 10/11/2020 Architecture: WINDOWS Score: 64 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Machine Learning detection for sample 2->38 40 PE file has nameless sections 2->40 8 loaddll32.exe 1 2->8         started        10 explorer.exe 1 102 2->10         started        12 explorer.exe 76 2->12         started        14 11 other processes 2->14 process3 process4 16 cmd.exe 1 8->16         started        18 regsvr32.exe 8->18         started        dnsIp5 21 iexplore.exe 2 74 16->21         started        26 192.168.2.1 unknown unknown 18->26 process6 process7 23 iexplore.exe 162 21->23         started        dnsIp8 28 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49743, 49744 FASTLYUS United States 23->28 30 www.msn.com 23->30 32 7 other IPs or domains 23->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e84bdf9aa0e18218c7233e7e290dcd49d587e8b59c5fa214f636317ea1d00e8e/
Threat name:
Win32.Trojan.Drixed
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 00:09:31 UTC
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bf57gva4gbbrrzdhz7csdonjhkyp2fvtrp2efhwgyyx5ioqb2ha._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
00777c86e585397754f0e73a927bcaa3e39a4948d9bb28e758f0f5bfdac1eef4
Dridex
0be0253ef0653faeda6da8f44b05e5c63035d1142efd90d63b41568d28458959
Dridex
28b7728a9ccb949d758410d4752961aa04588198324f0eab01d92d08a8a15d9c
Dridex
330d748935d0789d8eb231a6781b9ecec36a4bc72829bef65fadd6667573753a
Dridex
4801b61a1dc7a14b4c2efc9840a933b7dbfc595cca11bca2632f7e59a0624c65
Dridex
57c2b0bd17c02b9fee7bf05df8bb7698a2e127a8f0278fd83156ae6251534e9e
Dridex
8a0258361b87a73111afc4fb6f2cf121aa3a52122577a3692628e577ab202a34
Dridex
9259e0d1ce2513b87fde6578e3011f3c0e0fd1bc1f349b771fdd1b2b4279b60e
Dridex
b775a1f8663e7bdeef07cdd7497b91fa82dd7ab1015d138b2aeb8b51e77d3895
Dridex
c8a95eea1d734b39f042f0e2896111802e82621f6d5759e57420ccb03a07964b
Dridex
+ 45 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet loader persistence
Link:
https://tria.ge/reports/201110-4gs2g9lz2x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Enumerates connected drives
Modifies Installed Components in the registry
Dridex Loader
Dridex
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:win_dridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments