MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71
SHA3-384 hash: abef48e41b4573d9c53c70dd84a9b6a7517df3ec72918f4f24870f365ded56669b2bcadeb231e957aa08e6dcd6e21dc4
SHA1 hash: ecfda2f6337744f1063ecc2066c55d7c24011089
MD5 hash: be8633e9385cf9a1a48448f12b264923
humanhash: oven-sweet-lithium-comet
File name:updating.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:270'848 bytes
First seen:2020-07-25 07:03:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b2678359a821671668305ed97beeee5e (1 x TrickBot)
ssdeep 3072:i5URa54U45A1i2RwDubeDd3VOwui7bd6ND1NTmZGOf/rOWjiF9EGD1xXVEq5HR9k:+4e11Q3VOwQkf/rOWO7jD1xBHYSZU
Threatray 2'174 similar samples on MalwareBazaar
TLSH DE44F12277E9C0B2E41E61B15065D6A0AE6CF8218FF1CA4F7FD7532E4E616D1522B30B
Reporter abuse_ch
Tags:chil77 dll GBR geo TrickBot


Avatar
abuse_ch
Malspam distributing TrickBot:

HELO: sg2nlvphout01.shr.prod.sin2.secureserver.net
Sending IP: 182.50.132.195
From: golf@capricornresortgolf.com.au
Subject: Signe from Whirlpool Motors - tardy payment
Attachment: payment_2020_06_578184.xls

TrickBot payload URLs:
http://188.40.203.198/o3Mrg8bqRzC.php
http://198.46.198.115/images/updating.dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32321/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Generic.mg.0feaaf96b32a4c15.3754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/397835
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 07:05:06 UTC
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
024d1e75caece924601857b3e631b56936784215267c89d4ebc20f32258fa689
TrickBot
1455554d5585f68ec7212a6fca985aa7e3bb1904fce6dcfbb9a0b26751cbd23e
TrickBot
348c1970f3ce0b20eda196db27b3596864d8e99bedf575855aa35f5b5f5fc084
TrickBot
3611be7ee60f1adb4a14f2d5d307d7375fb8a9013d0ae24af5e639bcc524a595
TrickBot
5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409
TrickBot
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
TrickBot
a87a1461c989e6a6a28768733633d89fb4a79e24a8475f745e379d958df68741
TrickBot
a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554
TrickBot
b4eb31112cb2d0686ea3e88ab33569a0c902cb14331bb5f12a206d6f61b6b1fe
TrickBot
cd327c510c630f47d64c6e7bde422574480f57f6c455d41a2b0c7072e43779f7
TrickBot
+ 2'164 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200725-1ss52h1kr6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xls f7703dea53175c27e1c3391a883b7311d192310c1c4d0fe8c510cdf6fa1ff3c8

TrickBot

DLL dll f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/419022/
  
Dropped by
MD5 61cb6d8e8643ff9cd68ee72d073f43ed
  
Dropped by
SHA256 f7703dea53175c27e1c3391a883b7311d192310c1c4d0fe8c510cdf6fa1ff3c8
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32321/

Comments