MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8c56a2e79f9c648130668de931327b8fbd66059aed2e889a5189f916cd51cc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8c56a2e79f9c648130668de931327b8fbd66059aed2e889a5189f916cd51cc0
SHA3-384 hash: 1f74fce888514858650f57f91a2c89224ece0a576fb1156433e63a284fda88e2ad2760c83c121421e2f3a939978f387d
SHA1 hash: 957166fbcdc59dfbb76af0fa2785c1998397c225
MD5 hash: 0cb529d172928d5648ec43fb343079d7
humanhash: lemon-romeo-arkansas-summer
File name:icon_0wsjqu.png
Download: download sample
Signature Dridex
Create hunting rule
File size:179'712 bytes
First seen:2021-07-28 15:39:46 UTC
Last seen:2021-07-28 16:49:50 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9451e8b8b1259e622801dd0cdc59802c (11 x Dridex)
ssdeep 3072:PCpOe6ths2hyT0DzJfN3ZKU3YkmN5Sw4Q2kUl59Pn9ebAAW0f3:PCpOem/DzJhok45X4HPwb
Threatray 4'675 similar samples on MalwareBazaar
TLSH T1D304D08FC297C9F8EC62063C1917911B1669BC024F3DEE7BC6C2D92DC748D68486EA5D
Reporter abuse_ch
Tags:22201 dll Dridex


Avatar
abuse_ch
Dridex payload URL:
http://azuredocs.org:8088/wp-content/icon_0wsjqu.png

Dridex C2s:
46.55.222.10:443
104.248.178.90:4664
173.212.243.155:7002

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174705/
Detection(s):
SecuriteInfo.com.Variant.Graftor.981531.32097.6060.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cef0cfa4-3944-4217-9e92-26c4babeb715
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/823185
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found PHP interpreter
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455594 Sample: icon_0wsjqu.png Startdate: 28/07/2021 Architecture: WINDOWS Score: 76 17 104.248.178.90 DIGITALOCEAN-ASNUS United States 2->17 19 173.212.243.155 CONTABODE Germany 2->19 21 46.55.222.10 BALCHIKNETBG Bulgaria 2->21 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Dridex unpacked file 2->27 29 3 other signatures 2->29 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 cmd.exe 1 9->11         started        process6 13 rundll32.exe 11->13         started        process7 15 WerFault.exe 23 9 13->15         started       
Gathering data
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 14:26:33 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dcwultz7hdeqeygndpjgezhxd55myczv3jorcnfdcpzc3gvdtaa._file
Verdict:
malicious
Label(s):
doppeldridex
Create hunting rule
dridex
Create hunting rule
Similar samples:
190b2cdfa53eaab02c24d69923988103a84cd2862c6c9d70a18feebbb3f0bc64
Dridex
26a7de83424d94c22548e9b135d55093525009ed266a919983a7c791a9f35a97
Dridex
297fa628e174f62edfc8ecf1e4ec79d8f177fe89308a0c04a0b55693af0a776f
Dridex
4029e74468c92f45602e675f3f3ec1b45489ca962f36700434021ddc0e3acc26
Dridex
59e61b5ec3eb024ce68f9011a69ccb617120fb95100835d173e44c8dc4d08924
Dridex
71fb5ec5a1424b9965bf487a41e24e04e6cd20fb256b283b8262a6592aa90114
Dridex
828d60f696d4ee8c80b6a17a3b2462a744d87297b8016488ef67dc20ca86a5be
Dridex
901782479cf975a8b2811264fd34f2e6fde694dcb968ce8bf502cb054ac9eb5a
Dridex
e7c74e4d190b77f63788a032c28c4c4a819edc736697152f0a3e217aba7f5e97
Dridex
f4da618ff77a88dc769e3e6c7c0614a4975ca65b400688ee21233894cd311a0f
Dridex
+ 4'665 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:22201 botnet loader
Link:
https://tria.ge/reports/210728-jlzpqmxyxs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Dridex Loader
Dridex
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
46.55.222.10:443
104.248.178.90:4664
173.212.243.155:7002
Unpacked files
SH256 hash:
0ea1c6d243f0bb670cfee8f0b14a228a3bfe53478fd40cdf85641ce1204993a8
MD5 hash:
dd9abed0e3b3abde98e6f5924541df1c
SHA1 hash:
555773056834ecf4b8d5e766c5ea445c00b3c9b8
Detections:
win_dridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/4916be87-9be6-4eff-afaa-ed53d1248f26/
Parent samples :
f8c56a2e79f9c648130668de931327b8fbd66059aed2e889a5189f916cd51cc0
f034db216df8d2e4b49cdfeae61e367c021d40458433f2af1068db8a9823d7d9
f41f8a10bb34e70b9b6299b97008a996c11ea663546aa491dac882a63038ec3c
cc2225427a9465620f4fb894cb999802c7aaaf2703d4aab275fb49d8774171e2
0eada128b45a683c41d6da28fe1aa1be6b8bce3e3934c95d98f75e1c33639eed
1d494dd45497f3eb51817013dcd072da86410233e75f296a5840567740691b64
abafe8306d007ef0c693fdac39cec74d01fd0c31d7e9eeb9c9aae1dcfb279db6
0893622b4cc79e8ab24242dc4b5fc2640accb0170ca99c91643ba3b2f89a80a7
fe8ad836bd93823a5bd495e56bc54f7f57db0bba46c0662bcd6ae87b42eb3555
0b32835f121d563857dc69b69ddfdd56dbd6ce93d7d6dce074891cf1c16e96e5
688bc9341860e2f04f307f162f71a628896bc6ca9fa200be54eee05a4b69cb72
SH256 hash:
217bbc08795f6cefaa4dac37a1c9d526d01716147eee9c339bff870020ec264b
MD5 hash:
b5725bb6701f59316f4429ef8c52d8af
SHA1 hash:
f490feb153d6b1f746604241a314c1c6d1132674
Detections:
win_doppeldridex_auto
Create hunting rule
Link:
https://www.unpac.me/results/4916be87-9be6-4eff-afaa-ed53d1248f26/
SH256 hash:
f8c56a2e79f9c648130668de931327b8fbd66059aed2e889a5189f916cd51cc0
MD5 hash:
0cb529d172928d5648ec43fb343079d7
SHA1 hash:
957166fbcdc59dfbb76af0fa2785c1998397c225
Link:
https://www.unpac.me/results/4916be87-9be6-4eff-afaa-ed53d1248f26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/f8c56a2e79f9c648130668de931327b8fbd66059aed2e889a5189f916cd51cc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xlsm d18c514f56454991d876242e6a626701df15a9c8b6f577685e94d536233d37c1

Dridex

DLL dll f8c56a2e79f9c648130668de931327b8fbd66059aed2e889a5189f916cd51cc0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1487667/
  
Dropped by
SHA256 d18c514f56454991d876242e6a626701df15a9c8b6f577685e94d536233d37c1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174705/
  
URLhaus
https://urlhaus.abuse.ch/url/1487929/
  
URLhaus
https://urlhaus.abuse.ch/url/1487807/
  
URLhaus
https://urlhaus.abuse.ch/url/1487859/

Comments