MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61
SHA3-384 hash: 69c174ec2e7024f57bc4d9951f460169dacddb454c7cea8781e3e7c18f8d7f82244c103ee3f95e9120de78493248ba54
SHA1 hash: 49e02768a9565a93ea04aced6544f514261faeab
MD5 hash: dfad9da0abcdca56b0dde36fb6ea5fbe
humanhash: bluebird-steak-foxtrot-april
File name:update.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:446'464 bytes
First seen:2020-07-21 14:15:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash df4d6875e818a2e544aca6bea64b1b6f (1 x TrickBot)
ssdeep 6144:nn9ysDBrrdXdAZf8IL0dioR6HvrukfL2D07PN7G:nn9/DBldAhw6lfd9
Threatray 4'946 similar samples on MalwareBazaar
TLSH 8494CF113994C436E5FB01724128A6520ABEB9B29BB6CDDBBFCC0D4E1B386C1A735753
Reporter abuse_ch
Tags:chil73 dll GBR geo TrickBot


Avatar
abuse_ch
Malspam distributing TrickBot:

HELO: mx-out.tlen.pl
Sending IP: 193.222.135.158
From: Claire Perry <laurinaulk3@go2.pl>
Subject: Overdue notification for Swales Haulage Limited
Attachment: Invoice_8262.xls

TrickBot payload URL:
http://206.221.176.164/a00Ik249xU6Gi.php
http://51.77.100.161/images/update.dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30202/
Detection(s):
PUA.Win.Packer.Expressor-23
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/393337
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249033 Sample: update.dll Startdate: 22/07/2020 Architecture: WINDOWS Score: 92 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Trickbot 2->48 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 4 8->10         started        13 cmd.exe 1 8->13         started        signatures5 52 Writes to foreign memory regions 10->52 54 Allocates memory in foreign processes 10->54 56 Delayed program exit found 10->56 15 wermgr.exe 3 10->15         started        19 iexplore.exe 5 74 13->19         started        process6 dnsIp7 34 36.91.45.10, 449, 49762 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 15->34 36 5.1.81.68, 443, 49759, 49760 COMBAHTONcombahtonGmbHDE Germany 15->36 38 3 other IPs or domains 15->38 40 Tries to detect virtualization through RDTSC time measurements 15->40 21 iexplore.exe 3 153 19->21         started        signatures8 process9 dnsIp10 28 pagead.l.doubleclick.net 172.217.168.2, 443, 49740, 49741 GOOGLEUS United States 21->28 30 id.rlcdn.com 35.244.245.222, 443, 49738, 49739 GOOGLEUS United States 21->30 32 17 other IPs or domains 21->32 26 C:\Users\user\AppData\...\medianet[1].htm, HTML 21->26 dropped 50 Infects executable files (exe, dll, sys, html) 21->50 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 14:17:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409
TrickBot
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
TrickBot
8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199
TrickBot
aad98ba2e98e2545fedfc76032b9d71128c7cca65d071c81f81a7081fdd94ed5
TrickBot
ae4ae1071a58c4748e9238e4285483537c3369ca87fceba17e617c27f6146e51
TrickBot
b4eb31112cb2d0686ea3e88ab33569a0c902cb14331bb5f12a206d6f61b6b1fe
TrickBot
b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58
TrickBot
c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db
TrickBot
d3490e778e6bab64c1e2e10632335a0f6c58c86155599b22e6b184cf4bf78d83
TrickBot
e851ce9bf48b77212a50f2aa0908313ee855880783ea570fd4d2f7fb25244d3c
TrickBot
+ 4'936 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-azwj2ls48x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xls 0b1002c46c9adc846e110d4c523f52f58ce965eed27089b1c395333a41ff55f2

TrickBot

DLL dll abf19ae052175c20ea330d7ab6e42b03c5981d11c0b7a6ced591a79eaace7f61

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/416042/
  
Dropped by
MD5 f367db2c66ac893858edef7728c94b30
  
Dropped by
SHA256 0b1002c46c9adc846e110d4c523f52f58ce965eed27089b1c395333a41ff55f2
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/410827/
  
URLhaus
https://urlhaus.abuse.ch/url/410860/
  
URLhaus
https://urlhaus.abuse.ch/url/416043/
Cape
Cape
https://www.capesandbox.com/analysis/30202/

Comments