MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a5fe72160ae5a32d792fbdb951ccc4f734b1a1d801f74beebf520a347409c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a5fe72160ae5a32d792fbdb951ccc4f734b1a1d801f74beebf520a347409c20
SHA3-384 hash: 421b9ee4fc6f1b551f7d4fd6bc3a2dcc084de2211d3aebc9c78a64305e6cc15d771cb493f2446b923c770d9463d47123
SHA1 hash: 9d4436180f788b10e25c722b92f14aa667605f97
MD5 hash: 1d0ee5fd01f5abff1dedd5ce5b909e93
humanhash: lake-kansas-jig-chicken
File name:PO1DD.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:337'408 bytes
First seen:2020-08-13 15:05:38 UTC
Last seen:2020-08-13 18:37:20 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash cfcf952785838426851201af954c6476 (1 x TrickBot)
ssdeep 6144:TQ9W5ur84gWF6l0by8tca3hUXuwbN39IVorI1ZNSm:s9f84rEl07Wa3Gfb1+gI7Nb
Threatray 2'841 similar samples on MalwareBazaar
TLSH BC74CF0236918474E2BF033A0574AA111B7EBD618FB6DECB77989D0E5A742C1AF31763
Reporter abuse_ch
Tags:dll po1 TrickBot


Avatar
abuse_ch
Malspam distributing TrickBot:

HELO: clixpaid.club
Sending IP: 185.159.83.31
From: Ada Lambert <support@clixpaid.club>
Subject: I am still anticipating your reply
Attachment: Information_1597326608.doc

TrickBot payload URL:
http://www.hanayadefi.com/js/PO1DD.dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45265/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/426731
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 266013 Sample: PO1DD.dll Startdate: 15/08/2020 Architecture: WINDOWS Score: 84 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Yara detected Trickbot 2->48 8 loaddll32.exe 1 2->8         started        10 regsvr32.exe 2->10         started        process3 process4 12 regsvr32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 10->17         started        signatures5 52 Writes to foreign memory regions 12->52 54 Allocates memory in foreign processes 12->54 56 Delayed program exit found 12->56 58 Contains functionality to detect sleep reduction / modifications 12->58 19 wermgr.exe 3 12->19         started        23 iexplore.exe 12 85 15->23         started        25 wermgr.exe 2 17->25         started        process6 dnsIp7 30 45.148.120.195, 443, 49789, 49793 SKB-ENTERPRISENL Netherlands 19->30 32 5.149.253.99, 443, 49786, 49787 HZ-CA-ASBG United Kingdom 19->32 34 107.174.196.242, 443, 49795 AS-COLOCROSSINGUS United States 19->34 50 Tries to detect virtualization through RDTSC time measurements 19->50 36 192.168.2.1 unknown unknown 23->36 27 iexplore.exe 5 164 23->27         started        signatures8 process9 dnsIp10 38 pagead.l.doubleclick.net 172.217.168.2, 443, 49760, 49761 GOOGLEUS United States 27->38 40 id.rlcdn.com 35.244.245.222, 443, 49758, 49759 GOOGLEUS United States 27->40 42 18 other IPs or domains 27->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a5fe72160ae5a32d792fbdb951ccc4f734b1a1d801f74beebf520a347409c20/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 15:07:04 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
4a97c7666ce53a862a84873ad6bcfcd84b5cddd216ac6aa4f15998802d90f94e
TrickBot
5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409
TrickBot
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
TrickBot
8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199
TrickBot
99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5
TrickBot
abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61
TrickBot
ae4ae1071a58c4748e9238e4285483537c3369ca87fceba17e617c27f6146e51
TrickBot
b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58
TrickBot
c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db
TrickBot
d3490e778e6bab64c1e2e10632335a0f6c58c86155599b22e6b184cf4bf78d83
TrickBot
+ 2'831 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200813-b94sgfp9hs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a5fe72160ae5a32d792fbdb951ccc4f734b1a1d801f74beebf520a347409c20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Word file doc 9fc10844ade012b9c7db19c6f2826fac55fd498abde41b5d45fdfc18393f3aaf

TrickBot

DLL dll 4a5fe72160ae5a32d792fbdb951ccc4f734b1a1d801f74beebf520a347409c20

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/432025/
  
Dropped by
MD5 14131fed7cc3fe97321d9394c4cd60d2
  
Dropped by
SHA256 9fc10844ade012b9c7db19c6f2826fac55fd498abde41b5d45fdfc18393f3aaf
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45265/
  
URLhaus
https://urlhaus.abuse.ch/url/432634/

Comments