MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff0b0878821718f9f9626ee6f60ac6268f9a3c529f18cacf485236767f249f23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff0b0878821718f9f9626ee6f60ac6268f9a3c529f18cacf485236767f249f23
SHA3-384 hash: 864bdd4668f9bd1df38094268a2d130fb903d7f69712172fa597eddfd0d1f941a4d3391b9a0ee29ed69c545286bb0707
SHA1 hash: 593e5c032de20268d97b911dce86fe7af06d643d
MD5 hash: 6678c0c700a81cd5752fa4cd214feae4
humanhash: virginia-avocado-wolfram-rugby
File name:6678c0c700a81cd5752fa4cd214feae4.dll
Download: download sample
Signature Dridex
Create hunting rule
File size:634'880 bytes
First seen:2021-10-13 17:58:39 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0e85111d46389e6a0b245ea738757602 (1 x Dridex)
ssdeep 12288:LE6rSiT4Tbs3j09TMmonCh5atbz9+eoQoUZpDd7Da1nX9y1OO/zFZx:Je103j0dMZnCutz4zI5xDwXUkm
Threatray 871 similar samples on MalwareBazaar
TLSH T1A9D4F7013A04E821E7E55575DE2AC6E85B183D49EFB1A4CB78E17F0F2ABA9F3D215301
Reporter abuse_ch
Tags:dll Dridex

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DridexLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197349/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.9773.25313.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61671e6a9fb4d8593d63e29f/reports/706c42f3-c7ce-4fb9-a60d-4fe48671bdf3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99e82388-53c9-4d6f-846e-4fc97d25d1e0
Result
Threat name:
Dridex
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/869922
Signature
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected Dridex e-Banking trojan
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Dridex unpacked file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502350 Sample: yHm66D4wla.dll Startdate: 13/10/2021 Architecture: WINDOWS Score: 88 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Dridex unpacked file 2->33 35 2 other signatures 2->35 7 loaddll32.exe 13 2->7         started        process3 signatures4 39 Detected Dridex e-Banking trojan 7->39 10 cmd.exe 1 7->10         started        12 rundll32.exe 7->12         started        15 rundll32.exe 7->15         started        17 rundll32.exe 7->17         started        process5 signatures6 19 rundll32.exe 12 10->19         started        41 Detected Dridex e-Banking trojan 12->41 process7 dnsIp8 23 174.128.245.202, 443, 49693, 49697 ST-BGPUS United States 19->23 25 51.83.3.52, 13786, 49694, 49698 OVHFR France 19->25 27 69.64.50.41, 49696, 49700, 49703 AS-30083-GO-DADDY-COM-LLCUS United States 19->27 37 System process connects to network (likely due to code injection or exploit) 19->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff0b0878821718f9f9626ee6f60ac6268f9a3c529f18cacf485236767f249f23/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 18:03:39 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
dridex
Create hunting rule
gozi
Create hunting rule
Similar samples:
022300768af4879806a62b295825264657708576228f92efda2ba023ef0d955c
Dridex
04622665ec1dccb6fabcd0d62b24747bb650aa6964a84a966a633066c840d379
Dridex
06e41c9e1128631c9e0c2174ed4b367d0f6ed7e3481fdcc95b24d66edd02a45f
Dridex
3fd6a0b667270f85b4d929748b6b32d1ecb65d01fc0e3cec4bbc025452530f07
Dridex
88a94091ec39cf0fcb60f326e81f2a12ac40c6f41072f04dd0088d9c435e2d31
Dridex
a2c1142a25a5081b3ead3280a8f4405d5781032e556904a66196f2c7a3d27268
Dridex
a6c8e854f7c30f6390c39a1cea1393b949331a1b17b455dedd05fd7c92c7ff90
Dridex
b585a54184f3c933f4e0e38cadec4ada8950278bbdf69970b6f1539865772e36
Dridex
b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d
Dridex
c72fa2296308b8500ddb8c345035befee0711451d1272df8b6762c608e0cfb82
Dridex
+ 861 additional samples on MalwareBazaar
Result
Malware family:
dridex
Create hunting rule
Score:
  10/10
Tags:
family:dridex botnet:10222 botnet discovery evasion trojan
Link:
https://tria.ge/reports/211013-wkp95segam/
Behaviour
Suspicious use of WriteProcessMemory
Checks installed software on the system
Checks whether UAC is enabled
Blocklisted process makes network request
Dridex
Malware Config
C2 Extraction:
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Unpacked files
SH256 hash:
b245f6a0e99328888cf57bfeec2b42b0dbd5e435988652d8b253430ca867b915
MD5 hash:
2665c2c03ee607d7eeb8638eeb287d25
SHA1 hash:
8c1a8ce8f29182aab5b3bfc2dadf93e90e6c4130
Link:
https://www.unpac.me/results/b373ac32-92c0-428c-b9e6-d57c49f6d40c/
SH256 hash:
ff0b0878821718f9f9626ee6f60ac6268f9a3c529f18cacf485236767f249f23
MD5 hash:
6678c0c700a81cd5752fa4cd214feae4
SHA1 hash:
593e5c032de20268d97b911dce86fe7af06d643d
Link:
https://www.unpac.me/results/b373ac32-92c0-428c-b9e6-d57c49f6d40c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff0b0878821718f9f9626ee6f60ac6268f9a3c529f18cacf485236767f249f23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Dridex

DLL dll ff0b0878821718f9f9626ee6f60ac6268f9a3c529f18cacf485236767f249f23

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1674116/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1674059/
  
URLhaus
https://urlhaus.abuse.ch/url/1674052/
  
URLhaus
https://urlhaus.abuse.ch/url/1674050/
  
URLhaus
https://urlhaus.abuse.ch/url/1674002/
  
URLhaus
https://urlhaus.abuse.ch/url/1674066/
  
URLhaus
https://urlhaus.abuse.ch/url/1674022/
  
URLhaus
https://urlhaus.abuse.ch/url/1674057/
  
URLhaus
https://urlhaus.abuse.ch/url/1674099/
  
URLhaus
https://urlhaus.abuse.ch/url/1673998/
  
URLhaus
https://urlhaus.abuse.ch/url/1674110/
  
URLhaus
https://urlhaus.abuse.ch/url/1674067/
Cape
Cape
https://www.capesandbox.com/analysis/197349/

Comments