MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5
SHA3-384 hash:	dd81a50583ba4185b9a47a8a25ccc79e87e172fe4d2fee7fc322564c27e3018593ca84c06c290fd667d89491ae92c678
SHA1 hash:	0b4d3667cdc2da2f93398a576c98f70ef960568d
MD5 hash:	4df3128d3db0f609767ca8e733de8f03
humanhash:	orange-michigan-oklahoma-seven
File name:	update.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	393'728 bytes
First seen:	2020-07-07 19:22:37 UTC
Last seen:	2020-07-07 20:18:09 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	89ed1bc251d6c3e47d163c5f895ad913 (7 x TrickBot)
ssdeep	6144:nMhYHNPwSmAO7AOFmBU7qwVp4VLmX9CeXc47hZgl:nMKHdxmZiB4qwuVKFn7vW
Threatray	4'916 similar samples on MalwareBazaar
TLSH	E684DF0075E2C0B2C47E23B76A1AAFB10269FD118B68D9F777E81E0E6D742C07677652
Reporter	abuse_ch
Tags:	dll GBR geo TrickBot

abuse_ch

Malspam distributing TrickBot:

HELO: vps.kcbariatric.com
Sending IP: 64.50.161.137
From: Lash <bpierce@kcbariatric.com>
Subject: Form 1099 adjustments as well as possible fee notification email
Attachment: Form_1099_5715537.xls

TrickBot payload URL:
http://88.119.174.222/Gadsz15MT25YBi5i.php

Intelligence

File Origin

# of uploads :

2

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22416/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Unauthorized injection to a system process

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-07-07 19:24:05 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

emotet

Similar samples:

2a29e1eaaff50f90c2a25a9be52a72ae194c2fe302f905818d90f7d5fb9c0437

3611be7ee60f1adb4a14f2d5d307d7375fb8a9013d0ae24af5e639bcc524a595

52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824

7fb688f33ebc7b9c193aa87c8638f78e93511354a187822e7d06c1668f30da82

8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5

8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199

97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902

b4eb31112cb2d0686ea3e88ab33569a0c902cb14331bb5f12a206d6f61b6b1fe

b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58

c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db

+ 4'906 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200707-nnh6kp89ga/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls 2e0487c6cbecd68c83166ebf8742f9784be52dba4d77d37a359bacb33790cb76

DLL dll 99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408746/

Dropped by

MD5 d1bda4049e740009dff39fe1698cb00a

Dropped by

SHA256 2e0487c6cbecd68c83166ebf8742f9784be52dba4d77d37a359bacb33790cb76

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample