MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a97c7666ce53a862a84873ad6bcfcd84b5cddd216ac6aa4f15998802d90f94e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a97c7666ce53a862a84873ad6bcfcd84b5cddd216ac6aa4f15998802d90f94e
SHA3-384 hash: f04b648d5a674e9d17823a2e00727c06c4dbe2ac7f68cbf1db1344ae9c97a5a9e63c6d4d8f97331b4bceefca3aa503cf
SHA1 hash: c3a133516da37cabb12ce085d9621bd44c27f178
MD5 hash: 2554d51c0ddd338ddb40e4d759e5462c
humanhash: floor-high-juliet-robert
File name:SecuriteInfo.com.UDS.DangerousObject.Multi.Generic.9433
Download: download sample
Signature TrickBot
Create hunting rule
File size:263'680 bytes
First seen:2020-08-14 04:35:25 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1cf5b05e03ff8460cc8f9a19fe5f3114 (1 x TrickBot)
ssdeep 6144:fji7VnsddwE2M9eCL+abSgsSd3/nRnv8Rn4/35s5:bi7VGtIpXSFRn0xmW5
Threatray 2'848 similar samples on MalwareBazaar
TLSH 9344E0067680C4B5C5DA0235ADB9A7521B3E39B2DBF4C8C37F9612892DA03D1EB7D352
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45511/
Detection(s):
SecuriteInfo.com.UDS.DangerousObject.Multi.Generic.9433.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/428493
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 266762 Sample: SecuriteInfo.com.UDS.Danger... Startdate: 15/08/2020 Architecture: WINDOWS Score: 84 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Yara detected Trickbot 2->48 8 loaddll32.exe 1 2->8         started        10 regsvr32.exe 2->10         started        process3 process4 12 regsvr32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 10->17         started        signatures5 52 Writes to foreign memory regions 12->52 54 Allocates memory in foreign processes 12->54 56 Delayed program exit found 12->56 58 Contains functionality to detect sleep reduction / modifications 12->58 19 wermgr.exe 3 12->19         started        23 iexplore.exe 11 82 15->23         started        25 wermgr.exe 2 17->25         started        process6 dnsIp7 30 194.5.249.174, 443 NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO Romania 19->30 32 107.174.196.242, 443, 49769 AS-COLOCROSSINGUS United States 19->32 36 3 other IPs or domains 19->36 50 Tries to detect virtualization through RDTSC time measurements 19->50 34 192.168.2.1 unknown unknown 23->34 27 iexplore.exe 5 161 23->27         started        signatures8 process9 dnsIp10 38 pagead.l.doubleclick.net 216.58.215.226, 443, 49737, 49738 GOOGLEUS United States 27->38 40 id.rlcdn.com 35.244.245.222, 443, 49735, 49736 GOOGLEUS United States 27->40 42 20 other IPs or domains 27->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a97c7666ce53a862a84873ad6bcfcd84b5cddd216ac6aa4f15998802d90f94e/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 01:05:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
4a5fe72160ae5a32d792fbdb951ccc4f734b1a1d801f74beebf520a347409c20
TrickBot
5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409
TrickBot
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
TrickBot
8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199
TrickBot
99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5
TrickBot
abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61
TrickBot
ae4ae1071a58c4748e9238e4285483537c3369ca87fceba17e617c27f6146e51
TrickBot
b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58
TrickBot
c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db
TrickBot
d3490e778e6bab64c1e2e10632335a0f6c58c86155599b22e6b184cf4bf78d83
TrickBot
+ 2'838 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200814-6rzzpcz38x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a97c7666ce53a862a84873ad6bcfcd84b5cddd216ac6aa4f15998802d90f94e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4a97c7666ce53a862a84873ad6bcfcd84b5cddd216ac6aa4f15998802d90f94e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/45511/
  
URLhaus
https://urlhaus.abuse.ch/url/432677/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/432678/

Comments