MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c54495e55e1b18bea4e6e36ab10dadb115db761a4255f7379f268eb9e28e96d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c54495e55e1b18bea4e6e36ab10dadb115db761a4255f7379f268eb9e28e96d4
SHA3-384 hash: c31a91496ca7a9ad526196e59505e0336bc7b7044e109f0732790d366cc9eaaa016461c03c234b60f4769e9f632481c5
SHA1 hash: e168558c42bf7f19988aa247e63e3a50a3df930f
MD5 hash: 252f580a1cd8c35c54f39c89c0929c08
humanhash: batman-johnny-lake-nuts
File name:ocxfutur.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:348'160 bytes
First seen:2020-08-03 18:24:27 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e81d661297b19a653ed22679ae764e41 (1 x TrickBot)
ssdeep 6144:v+yqxwWF9mKVIfsRGj8Zl5yw8XpEY3SZR07qi3hl4f:U+WFYKO4Sw8+N+p3hl4f
Threatray 1'821 similar samples on MalwareBazaar
TLSH 1274E0117686C073E34E263D493693626A3BBE219FB255CB3B885B7E5F392C15B34306
Reporter abuse_ch
Tags:chil84 dll TrickBot


Avatar
abuse_ch
Malspam distributing TrickBot:

HELO: antelope.elm.relay.mailchannels.net
Sending IP: 23.83.212.4
From: sales@beamgl.com
Subject: Delayed invoice statement_0013069688 email
Attachment: form_0013069688.doc

TrickBot payload URL:
http://188.40.203.223/k685Ux28Xt9QWGqK.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38070/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/408378
Signature
Allocates memory in foreign processes
Found malware configuration
Machine Learning detection for sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c54495e55e1b18bea4e6e36ab10dadb115db761a4255f7379f268eb9e28e96d4/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 18:26:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvcjlzk6dmml5jhg4nvlcdnnwek5w5q2ijk7on47e2hltyuos3ka._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
2a29e1eaaff50f90c2a25a9be52a72ae194c2fe302f905818d90f7d5fb9c0437
TrickBot
348c1970f3ce0b20eda196db27b3596864d8e99bedf575855aa35f5b5f5fc084
TrickBot
5b53e93d56e20740ef468c0dc16bf4b0dc459007637874f1b2e8094f7d41e0a2
TrickBot
5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409
TrickBot
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
TrickBot
99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5
TrickBot
a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554
TrickBot
b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58
TrickBot
cd327c510c630f47d64c6e7bde422574480f57f6c455d41a2b0c7072e43779f7
TrickBot
f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71
TrickBot
+ 1'811 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200803-2sza9gfcse/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c54495e55e1b18bea4e6e36ab10dadb115db761a4255f7379f268eb9e28e96d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Word file doc e6c1bfd8e406d93ac4efd82f7901e713d44b7326786bd76ba478b8e4f60f5b7a

TrickBot

DLL dll c54495e55e1b18bea4e6e36ab10dadb115db761a4255f7379f268eb9e28e96d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/host/185.234.72.77/
  
Dropped by
MD5 372ece0deda1280d74ab5f535b754af5
  
Dropped by
SHA256 e6c1bfd8e406d93ac4efd82f7901e713d44b7326786bd76ba478b8e4f60f5b7a
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38070/

Comments