MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902
SHA3-384 hash:	bd0cc3efa093faa55aae21a9404c5c0da2b8f2381168b3c8d8ada3ad2bc2f9b7b7a37f401384ece90978295639ee2bfc
SHA1 hash:	903440d349190360ce0fc84bd6c32f3e9a95a02c
MD5 hash:	f93a2db1e096cc876b72aeaae82451f9
humanhash:	vermont-nebraska-vegan-eleven
File name:	update.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	393'728 bytes
First seen:	2020-07-08 05:39:50 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	89ed1bc251d6c3e47d163c5f895ad913 (7 x TrickBot)
ssdeep	6144:nMhYHYPwSmAO7AOFmBU7qwVp4VLmX9CeXc47hZgl:nMKHmxmZiB4qwuVKFn7vW
Threatray	5'023 similar samples on MalwareBazaar
TLSH	4B84DF0075E2C0B2C47E23B76A1AAFB10269FD118B68D9F777E81E0E6D742C07677652
Reporter	abuse_ch
Tags:	chil61 dll GBR geo TrickBot

abuse_ch

Malspam distributing TrickBot:

HELO: host.tomaxusa.com
Sending IP: 69.167.150.46
From: Walker <orders@tomaxusa.com>
Subject: The IRS form improvements along with probable fine notification email
Attachment: Form_1099_1793465.xls

TrickBot payload URL:
http://185.180.197.66/2VJDZ6JaqzEiq.php

Intelligence

File Origin

# of uploads :

1

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22787/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Generic.mg.127ef92e6a3bc658.9114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Unauthorized injection to a system process

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-07-08 05:41:05 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

emotet

Similar samples:

52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824

5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409

8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5

8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199

99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5

a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554

ae4ae1071a58c4748e9238e4285483537c3369ca87fceba17e617c27f6146e51

b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58

c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db

d3490e778e6bab64c1e2e10632335a0f6c58c86155599b22e6b184cf4bf78d83

+ 5'013 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200708-gmr3wfjz3j/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls 2b354d7dccd32f56af516f35821d9d389271da55cd4c9c7a97f30303d1136e04

DLL dll 97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408873/

Dropped by

MD5 ea758830f5d03ac75190267289d4971a

Dropped by

SHA256 2b354d7dccd32f56af516f35821d9d389271da55cd4c9c7a97f30303d1136e04

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22787/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample