MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579
SHA3-384 hash: cf3878739b809fd469bd9bd6dbb6a89300cfb0417f7402b68082e41c451ffd72b359922316b2fd0473a56e45dd39e574
SHA1 hash: f8b456c5a5b9fafe6cd2d90774eaf78ac90824c5
MD5 hash: 222d9a3950c1dd4e9d659e51e46ca608
humanhash: harry-minnesota-hotel-triple
File name:222d9a3950c1dd4e9d659e51e46ca608
Download: download sample
Signature Dridex
Create hunting rule
File size:167'936 bytes
First seen:2021-07-14 17:41:14 UTC
Last seen:2021-07-14 20:40:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e9cbee8358b331a128409a4d26e3e347 (5 x Dridex)
ssdeep 3072:QWiJzQu5JD9ko9WY1wzxWrPA0Nt7L5cWlvsRwmhnxONgkDY:QLquAkPA07X5WncNgk
Threatray 4'577 similar samples on MalwareBazaar
TLSH T1F2F3023232BB6AFAE276FD72065FD931273164480308DA6F76019F86D95E0E24C6FB11
Reporter zbetcheckin
Tags:32 Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
222d9a3950c1dd4e9d659e51e46ca608
Verdict:
Suspicious activity
Analysis date:
2021-07-14 17:43:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7da8661d-fc04-4bf8-bc27-d79707e60cc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DridexV4
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171793/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.31892.25360.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82154d86-5073-4e77-86fa-a1ddd7d377e0
Result
Threat name:
Dridex Dropper
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816463
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Dridex dropper found
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 17:30:38 UTC
File Type:
PE (Exe)
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ahgb5pqssv75fci2eglqqmu446a4dzmwuxqbvdu2zbazmabyv4q._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
14cb6974ea36b5478eaa7e8f24e1d2896adc8e16df7bf8842c70a1f636c2df75
Dridex
1b769568e3dd1c84f72d08e19c7ff0afb8efaa1ebcff6d6c8d689769bd3ef9a4
Dridex
3e3849f655bed5d4520d16e29b6f5a2b9f294243ca2f8bae7c16cd12c6d31a9f
Dridex
4c56a5a7e49b23fcfab4b8d469d42e583497178b9b237374db3e14289f2afc64
Dridex
5d9c6e1b85b728aa57e6afaefe26c1bcc5bb687b061ebae53a166d9453f4fd2c
Dridex
60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe
Dridex
9ffe349bfcaac3ceffbbb5accf85814b0e08d204a02b63a9df9681235a464ecc
Dridex
a8f0a6eb4b161ade2e2d741eb541586becd3fd146b422370ac6ca919c05cab57
Dridex
cae068c4c59a4082133d44bdc9db33444b759f8f465a24b37b84670243bd5104
Dridex
+ 4'567 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22202 botnet evasion loader trojan
Link:
https://tria.ge/reports/210714-8mdrvgpasx/
Behaviour
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
202.29.60.34:443
66.175.217.172:13786
78.46.78.42:9043
Unpacked files
SH256 hash:
6dc2a461f21f53cac7c372fd594c419effe1b3538ae821aac4d8e76202729d0a
MD5 hash:
6ebfa361b1ef55f3296fb50e53c84b2e
SHA1 hash:
90ee87cc73001116cfd2f48ab9c83fd134b925a0
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/928812b1-9fa8-4c0b-b121-ffff28bf8562/
SH256 hash:
f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579
MD5 hash:
222d9a3950c1dd4e9d659e51e46ca608
SHA1 hash:
f8b456c5a5b9fafe6cd2d90774eaf78ac90824c5
Link:
https://www.unpac.me/results/928812b1-9fa8-4c0b-b121-ffff28bf8562/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:DridexV4
Create hunting rule
Author:kevoreilly
Description:Dridex v4 Payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.
Rule name:win_nymaim_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.nymaim.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1454517/
Cape
Cape
https://www.capesandbox.com/analysis/171793/
  
URLhaus
https://urlhaus.abuse.ch/url/1454881/
  
URLhaus
https://urlhaus.abuse.ch/url/1454889/
  
URLhaus
https://urlhaus.abuse.ch/url/1454894/
  
URLhaus
https://urlhaus.abuse.ch/url/1454935/
  
URLhaus
https://urlhaus.abuse.ch/url/1454943/
  
URLhaus
https://urlhaus.abuse.ch/url/1454953/
  
URLhaus
https://urlhaus.abuse.ch/url/1454963/
  
URLhaus
https://urlhaus.abuse.ch/url/1454965/
  
URLhaus
https://urlhaus.abuse.ch/url/1454964/
  
URLhaus
https://urlhaus.abuse.ch/url/1454984/
  
URLhaus
https://urlhaus.abuse.ch/url/1454995/
  
URLhaus
https://urlhaus.abuse.ch/url/1454996/
  
URLhaus
https://urlhaus.abuse.ch/url/1455616/
  
URLhaus
https://urlhaus.abuse.ch/url/1456454/

Comments


Avatar
zbet commented on 2021-07-14 17:41:15 UTC

url : hxxp://buyer-remindment.com:8088/wp-theme/file11.bin