MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1da83287dc71efd8d39d03f2c349830826b9c8698b0a7bb6cc6e7eb959428da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1da83287dc71efd8d39d03f2c349830826b9c8698b0a7bb6cc6e7eb959428da
SHA3-384 hash: 67efde6e0c72c4ef94aa2c85a2a725f993be91c7f267b5088e930030096d1a99244e7adb43a540f88d5cc69d42e42f63
SHA1 hash: 749817589b2ad782e0fe24087a401621be70b9e5
MD5 hash: f035afb3bbb9ddbab86705fc35ee3277
humanhash: tango-venus-sink-golf
File name:f035afb3bbb9ddbab86705fc35ee3277
Download: download sample
Signature Dridex
Create hunting rule
File size:167'936 bytes
First seen:2021-07-14 17:49:15 UTC
Last seen:2021-07-14 18:45:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e92132005097daafddd51d9c4d138d88 (6 x Dridex)
ssdeep 3072:27p3dQo86PI7e2seiAPWN6Ox1uTQjY48+STfLbh9w47sI5:s3dyj7NsenjOx1KQU5TTbbT
Threatray 4'574 similar samples on MalwareBazaar
TLSH T149F302D1F39B11FEFD596470960BAAA612A70C29C37CCAE7E110DC917DE48F7283512A
Reporter zbetcheckin
Tags:32 Dridex exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171796/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.20213.22152.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5c8ba2d7-9ff7-4606-ab05-6b94b00400d0
Result
Threat name:
Dridex Dropper
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816481
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Dridex dropper found
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
Detection:
dridex
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1da83287dc71efd8d39d03f2c349830826b9c8698b0a7bb6cc6e7eb959428da/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 17:30:43 UTC
File Type:
PE (Exe)
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hnigkd5y4pp3djz2a7syneygcbgxhegtcykpo3my3t6xfmufdna._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
4ec406d75588c4e395c1a5b93bf43da319684352061cf42876c704d92a52df92
Dridex
60292d0e9ee95a94029fc83e6caebd7d8bbc694bef446d90519df743cbc45cfe
Dridex
92bab194eb8d9e8189b184caef04bfc4e8b375ec095cd027d94a5fec73747e53
Dridex
9ff01c0edcf9082323a22fc225b4f2f7c9ff6d5b1f7c8d76c94da83b4c37ec25
Dridex
9ffe349bfcaac3ceffbbb5accf85814b0e08d204a02b63a9df9681235a464ecc
Dridex
d93210076662115315a8713a18a86f22051c45ab7216129daa9b5638a76dac43
Dridex
f00e60f5f094abfe9448d10cb84194e73c0e0f2cb52f00d474d6420cb001c579
Dridex
f418e50acd39dd9daf5a6f7ef7e18be397ee1850854333c6865d3ea0b6030111
Dridex
ff59f0cfc113ec9637aad80512fa7da4a2e77a0ac6ee26a055d73f00607d3217
Dridex
+ 4'564 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22201 botnet evasion loader trojan
Link:
https://tria.ge/reports/210714-g455lwdjbs/
Behaviour
Checks whether UAC is enabled
Dridex Loader
Dridex
Malware Config
C2 Extraction:
202.29.60.34:443
66.175.217.172:13786
78.46.78.42:9043
Unpacked files
SH256 hash:
7a2811a5c96a613a8bf259a1535ef18ddf9f1ec8733ebf90e9a8a8251d6acdaa
MD5 hash:
fe054fad8962d1cc167a4f8eb7b77efd
SHA1 hash:
2720f3059fdf8c906a763fcae4d62d045e67a11f
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/dc47f2db-2fdd-4841-8828-658090f8ad5c/
SH256 hash:
f1da83287dc71efd8d39d03f2c349830826b9c8698b0a7bb6cc6e7eb959428da
MD5 hash:
f035afb3bbb9ddbab86705fc35ee3277
SHA1 hash:
749817589b2ad782e0fe24087a401621be70b9e5
Link:
https://www.unpac.me/results/dc47f2db-2fdd-4841-8828-658090f8ad5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/f1da83287dc71efd8d39d03f2c349830826b9c8698b0a7bb6cc6e7eb959428da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DridexLoader
Create hunting rule
Author:kevoreilly
Description:Dridex v4 dropper C2 parsing function
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_doppeldridex_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.doppeldridex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

Executable exe f1da83287dc71efd8d39d03f2c349830826b9c8698b0a7bb6cc6e7eb959428da

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171796/
  
URLhaus
https://urlhaus.abuse.ch/url/1454524/
  
URLhaus
https://urlhaus.abuse.ch/url/1454662/
  
URLhaus
https://urlhaus.abuse.ch/url/1454891/
  
URLhaus
https://urlhaus.abuse.ch/url/1454897/
  
URLhaus
https://urlhaus.abuse.ch/url/1454904/
  
URLhaus
https://urlhaus.abuse.ch/url/1454974/
  
URLhaus
https://urlhaus.abuse.ch/url/1454981/
  
URLhaus
https://urlhaus.abuse.ch/url/1455001/
  
URLhaus
https://urlhaus.abuse.ch/url/1455012/
  
URLhaus
https://urlhaus.abuse.ch/url/1455471/
  
URLhaus
https://urlhaus.abuse.ch/url/1455474/
  
URLhaus
https://urlhaus.abuse.ch/url/1455617/
  
URLhaus
https://urlhaus.abuse.ch/url/1455880/

Comments


Avatar
zbet commented on 2021-07-14 17:49:16 UTC

url : hxxp://buyer-remindment.com:8088/tpls/file5.bin