MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689
SHA3-384 hash:	5c0e57ed6cb0342bfb5a8404a6752502b724e1aed2415be8317f947adb28da201c0cdfdd754dfd191ea745f9d60a4565
SHA1 hash:	bbede20621c9c3c2f9ae12951161510898943576
MD5 hash:	b639dd87bf7b264f6f9abf7a539cc820
humanhash:	south-nebraska-california-monkey
File name:	footer1.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	535'552 bytes
First seen:	2020-06-23 14:46:32 UTC
Last seen:	2020-06-23 16:05:19 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	0204ea810238f08f2784772d0970aaca (1 x TrickBot)
ssdeep	6144:jVgB84PzDjnZtI9l1RZWhprVUGpZAo6j1/iFi0MWFVIuSPsLc5S+wT7g7A/o:jGBLDjkFRZUVBDAo4qk0MlY2M87A/o
Threatray	1'896 similar samples on MalwareBazaar
TLSH	B7B4491130A3B235D26DB73607B7C7B19736BC34A566D12A2FD0BD6B2D362528CB7281
Reporter	abuse_ch
Tags:	dll TrickBot

abuse_ch

Malspam distributing TrickBot:

HELO: stanford-48.loosefoot.com
Sending IP: 208.68.106.48
From: Ian <steve@webberassociates.com>
Subject: W 2 Request
Attachment: W2_tax.xls

TrickBot payload URL:
http://23.95.231.200/images/footer1.dll

Intelligence

File Origin

# of uploads :

2

# of downloads :

90

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13132/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-06-23 14:48:04 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ajgr45ok5tusiyayk6z6mmnvne3hqqqvez6itvhlyihtejmpu2eq._file

Verdict:

malicious

Label(s):

trickbot

emotet

hawkeyekeylogger

Similar samples:

09e3570fe057bd4931487abc899f3ce06e3c48aa7e248d83fa9580003b0eac32

1455554d5585f68ec7212a6fca985aa7e3bb1904fce6dcfbb9a0b26751cbd23e

348c1970f3ce0b20eda196db27b3596864d8e99bedf575855aa35f5b5f5fc084

5b53e93d56e20740ef468c0dc16bf4b0dc459007637874f1b2e8094f7d41e0a2

5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409

8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5

9aa0f2a8b7cf8b2943a8d95a4808170aeae514e14cd318f5e8ab200e6e846838

a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554

b4eb31112cb2d0686ea3e88ab33569a0c902cb14331bb5f12a206d6f61b6b1fe

f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71

+ 1'886 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

trojan banker family:trickbot

Link:

https://tria.ge/reports/200624-496plbmb22/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Templ.dll packer

Trickbot

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls 04c2d16ee5463453c04a6b4645f6a36f2485d91bd86fb18a9ed20446fdc57728

DLL dll 024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/400734/

Dropped by

MD5 f373533d3c6c8acc02493933a9fa72a2

Dropped by

SHA256 04c2d16ee5463453c04a6b4645f6a36f2485d91bd86fb18a9ed20446fdc57728

Cape

Cape

https://www.capesandbox.com/analysis/13132/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample