MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db
SHA3-384 hash:	51bbec59cafefc4fc6d9258fbdaceac42f9204ca4509246161cd64d2520c874e54b449eda2e967fbede1c617793f8d1e
SHA1 hash:	410618a0bc0d5b2fbbaac7300eb5f9a23aaa1582
MD5 hash:	3c17307c78c69358758cd1dd45cc1ef0
humanhash:	sad-butter-nevada-tennessee
File name:	update.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	393'728 bytes
First seen:	2020-07-08 05:42:46 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	89ed1bc251d6c3e47d163c5f895ad913 (7 x TrickBot)
ssdeep	6144:nMhYHUPwSmAO7AOFmBU7qwVp4VLmX9CeXc47hZgl:nMKHKxmZiB4qwuVKFn7vW
Threatray	5'023 similar samples on MalwareBazaar
TLSH	AA84DF0075E2C0B2C47E23B76A1AAFB10269FD118B68D9F777E81E0E6D742C07677652
Reporter	abuse_ch
Tags:	chil61 dll GBR geo TrickBot

abuse_ch

Malspam distributing TrickBot:

HELO: p-impout001.msg.pkvw.co.charter.net
Sending IP: 47.43.26.136
From: Thomas <winchfield@twc.com>
Subject: The IRS form improvements along with probable fee alert
Attachment: IRS_form_3690735.xls

TrickBot payload URL:
http://93.189.41.196/2vOOR7gAPrc1eq.php

Intelligence

File Origin

# of uploads :

1

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/22789/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.Generic.mg.127ef92e6a3bc658.9114.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Unauthorized injection to a system process

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-07-08 05:44:06 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

emotet

Similar samples:

52f2ed434833d33d042270f665b6e5c08b38fdd8961f7daea60fe6faae786824

5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409

8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5

8c47730867b57083f6ec4ab8c237f32f556c04ee4a973f2fc1c1be2919e49199

97c6fdb81fcc7d56b44c314ad21d2ef5e85299e18cff95cebc54b9192c025902

99d62f68414740eb9e6c2719cf22d67e5f5f4cb3fe0a4be34e7438d826844ff5

a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554

ae4ae1071a58c4748e9238e4285483537c3369ca87fceba17e617c27f6146e51

b65ca1af4590bbec9aa558319c6491db8235a555de83345e71b69feb69163e58

d3490e778e6bab64c1e2e10632335a0f6c58c86155599b22e6b184cf4bf78d83

+ 5'013 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200708-tksg7l4tbn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xls 7e3638d120694383935bb8b66f6e20fd9cfb2902d7865a4d8eb6d751175579ba

DLL dll c7b6b5c5fd0241015dea2d5bf76f50143844676bec4b1a57284af92a75a367db

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/408874/

Dropped by

MD5 85d0e857f338ce777927f0e3fda149d5

Dropped by

SHA256 7e3638d120694383935bb8b66f6e20fd9cfb2902d7865a4d8eb6d751175579ba

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/22789/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample