MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df
SHA3-384 hash: 32510263db87b3ecab50675b2eb06ffb7de1809a3a6df32d689d2d554c2e0c29235130c20abfc6b9be22bcb6243994ba
SHA1 hash: a8adc02637c62262e02f0097222cda0cd2aef013
MD5 hash: e3c73316a5a270a82f24e56ec0f62e0e
humanhash: montana-september-missouri-carpet
File name:Amazon_eGift-Card_579366314.scr
Download: download sample
Signature Dridex
Create hunting rule
File size:927'352 bytes
First seen:2020-11-26 05:12:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 12288:YY20AljdZgBPfKfzagXLUZQxAogJfqsUsz0cX0bQrGrxyvdiXACHDMq2:920gPgFKWQUZQxAVBbIcXuQ+wGAST2
Threatray 227 similar samples on MalwareBazaar
TLSH 6C1512223AD1C032E9639571DDF8A772FAB5BA306670558BF7500B2E2F719A2C325743
Reporter JAMESWT_WT
Tags:Dridex scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Sending a UDP request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a recently created file
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/547709
Signature
Drops batch files with force delete cmd (self deletion)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322958 Sample: Amazon_eGift-Card_579366314.scr Startdate: 26/11/2020 Architecture: WINDOWS Score: 84 48 g.msn.com 2->48 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 2 other signatures 2->62 11 Amazon_eGift-Card_579366314.exe 3 8 2->11         started        signatures3 process4 file5 44 C:\Video\config\elp.bat, ASCII 11->44 dropped 46 C:\Video\config\extraPFZ.exe, PE32 11->46 dropped 64 Drops batch files with force delete cmd (self deletion) 11->64 15 wscript.exe 1 11->15         started        signatures6 process7 process8 17 cmd.exe 2 15->17         started        process9 19 wscript.exe 1 17->19         started        21 extraPFZ.exe 5 17->21         started        24 conhost.exe 17->24         started        26 3 other processes 17->26 file10 28 cmd.exe 1 19->28         started        40 C:\Video\config\pzxrk4325.dll, PE32 21->40 dropped 42 C:\Video\config\7p.bat, ASCII 21->42 dropped process11 process12 30 regsvr32.exe 12 28->30         started        34 conhost.exe 28->34         started        36 timeout.exe 1 28->36         started        38 attrib.exe 1 28->38         started        dnsIp13 50 198.57.200.100, 3786, 49723, 49727 UNIFIEDLAYER-AS-1US United States 30->50 52 216.172.165.70, 3889, 49722, 49726 UNIFIEDLAYER-AS-1US United States 30->52 54 2 other IPs or domains 30->54 66 System process connects to network (likely due to code injection or exploit) 30->66 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 05:13:04 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zes5wqfhum6bawnrcwo7cbf5dp5iylnkfuj4luwm7263ebvwhpq._file
Verdict:
malicious
Label(s):
dridex
Create hunting rule
Similar samples:
2aed6c38a383b9c88add24ea8479d4ecabba5c7329046e2893ddb73947691174
Dridex
2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
Dridex
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
Dridex
4b1f2c18b149fd0e878c362ffba50bb553d7bea93a795b33e398d032dc0b7663
Dridex
7359fb03e09c8416c7a967f72df483a1b60066434c9e49e0deb4b18cb11e9192
Dridex
8921b2421d4fde9e229bdda0da89a5bd10023a9f9d2529f2fb2da9c5e1a060c6
Dridex
9b939f0d1dabceba231ab0ca036818ef10a813775d9a12cfc3e854819d7a7cc3
Dridex
a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba
Dridex
eb1a0c3677f4b416e43e2c4d88a30d1f5bd4d9b00b1e0c48efef31b034465e3c
Dridex
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
Dridex
+ 217 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet evasion loader
Link:
https://tria.ge/reports/201126-r8q2v9e7s6/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Kills process with taskkill
Modifies registry class
Loads dropped DLL
Executes dropped EXE
Sets file to hidden
Dridex Loader
Dridex
Malware Config
C2 Extraction:
194.225.58.216:443
178.254.40.132:691
216.172.165.70:3889
198.57.200.100:3786
Unpacked files
SH256 hash:
9da0e8c9f248c67e6b283849c3a972d73401f39e369c269664611783a5d8295e
MD5 hash:
062df040bf42c642b3b69f0300e046c8
SHA1 hash:
98443f0e85c48cbf2c9929d7899bd8ee433d1ec8
Link:
https://www.unpac.me/results/df1540ba-2317-4d05-9bca-31ec55c66bce/
SH256 hash:
556b491aa61c7a984795fc4aeefe2e212c1e0aacb641ef85c37105e445ddb3da
MD5 hash:
e67b2ed2b8b24bea414f319d9e210857
SHA1 hash:
582e466c2e50dfdaf60f1074d4862172221e2841
Link:
https://www.unpac.me/results/df1540ba-2317-4d05-9bca-31ec55c66bce/
SH256 hash:
c1b592cce67773d817f625f4a26135331585016e5cecb7f73ec127f0056a30e3
MD5 hash:
4203f581a4f4434b899e151ba8e5e8a8
SHA1 hash:
fa43f5701ffd2531969610cab886c0402b096ca8
Link:
https://www.unpac.me/results/df1540ba-2317-4d05-9bca-31ec55c66bce/
SH256 hash:
ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df
MD5 hash:
e3c73316a5a270a82f24e56ec0f62e0e
SHA1 hash:
a8adc02637c62262e02f0097222cda0cd2aef013
Link:
https://www.unpac.me/results/df1540ba-2317-4d05-9bca-31ec55c66bce/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_dridex_loader_v2
Create hunting rule
Author:Johannes Bader @viql
Description:detects some Dridex loaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105582/

Comments