MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824
SHA3-384 hash:	3bd48e9812d76940ca23ba9251bed48783d32ac804e53ad86762b92d65256b3bf3e4b1f03a0d723b7bad5b0cb2579ae0
SHA1 hash:	3c2f5dfefc7813686e9d29b3d5b06c12a09995f0
MD5 hash:	d68ebf37b8aa0b72def326e7cdef09b6
humanhash:	nine-green-social-dakota
File name:	update.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	393'728 bytes
First seen:	2020-07-08 05:35:58 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	89ed1bc251d6c3e47d163c5f895ad913 (7 x TrickBot)
ssdeep	6144:nMhYHvPwSmAO7AOFmBU7qwVp4VLmX9CeXc47hZgl:nMKHHxmZiB4qwuVKFn7vW
Threatray	5'023 similar samples on MalwareBazaar
TLSH	6A84DF0075E2C0B2C47E23B76A1AAFB10269FD118B68D9F777E81E0E6D742C07677652
Reporter	abuse_ch
Tags:	chil61 dll GBR geo TrickBot

abuse_ch

Malspam distributing TrickBot:

HELO: mail16c40.carrierzone.com
Sending IP: 209.235.156.211
From: Hartmann <info@rayteccanada.com>
Subject: The form 1099 changes as well as probable fine notice
Attachment: IRS_form_7559663.xls

TrickBot payload URL:
http://185.45.192.232/34fhjdgEN3q.php

Intelligence

File Origin

# of uploads :

1

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22786/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Generic.mg.127ef92e6a3bc658.9114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Unauthorized injection to a system process

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-07-08 05:37:05 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

emotet

Similar samples:

5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409

8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5

8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199

97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902

99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5

a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554

ae4ae1071a58c4748e9238e4285483537c3369ca87fceba17e617c27f6146e51

b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58

c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db

d3490e778e6bab64c1e2e10632335a0f6c58c86155599b22e6b184cf4bf78d83

+ 5'013 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200708-xhearqycya/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls 53443315360c434457eca1626003a288924a363677a4e1ca1bbaad902f677674

DLL dll 52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408872/

Dropped by

MD5 9dad374d4a2553733ebf424e3fde48e4

Dropped by

SHA256 53443315360c434457eca1626003a288924a363677a4e1ca1bbaad902f677674

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22786/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample