MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151
SHA3-384 hash: 18b9233ea4e242d9f38e0c55e2220560ebabd125920a58c955e6d4eac2b9d0714dfd27fea4064bd5c2dee655f8226158
SHA1 hash: b22193c588a53be3a69bf939dafa6df3d6b82776
MD5 hash: 0f342e64cf48ef4b6131f7c2f1244f70
humanhash: ohio-winter-monkey-juliet
File name:SecuriteInfo.com.Variant.Zusy.371743.25402.7889
Download: download sample
Signature TrickBot
Create hunting rule
File size:506'368 bytes
First seen:2021-03-19 22:30:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f85662bbdd9a91bfc7b40b98b12d4ad8 (1 x TrickBot)
ssdeep 6144:/gWc0bBIikmQ2MfZu3rxY11eUaykSbahi4bnXt6/aJaETCPy77jRUufqAsd+s//L:9dbqvmQi1Y11uAbh89E0aBs1ylkB
Threatray 12 similar samples on MalwareBazaar
TLSH 9CB4D032F654444EC9E917FB6C95BFC3E03DA38D6F221393B96C099DC6608B14649793
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125724/
Detection(s):
SecuriteInfo.com.Variant.Zusy.371743.25402.7889.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e55ba3f-b237-42d4-b878-a63250647f62
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/646669
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372302 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 19/03/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 6 other signatures 2->57 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 8->17         started        19 rundll32.exe 10->19         started        signatures5 63 Writes to foreign memory regions 12->63 65 Allocates memory in foreign processes 12->65 21 wermgr.exe 12->21         started        24 wermgr.exe 3 12->24         started        28 iexplore.exe 1 73 15->28         started        30 wermgr.exe 19->30         started        32 wermgr.exe 19->32         started        process6 dnsIp7 59 Tries to detect virtualization through RDTSC time measurements 21->59 61 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 21->61 45 71.66.92.190, 443, 49793 TWC-10796-MIDWESTUS United States 24->45 47 103.225.138.94, 449, 49790 DCNBSI-AS-APDCTVCableNetworkBroadbandServicesIncPH Philippines 24->47 49 5 other IPs or domains 24->49 37 C:\Users\user\...\zzSecuriteInfoxd.rrd, PE32 24->37 dropped 34 iexplore.exe 153 28->34         started        file8 signatures9 process10 dnsIp11 39 img.img-taboola.com 34->39 41 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49760, 49761 YAHOO-DEBDE United Kingdom 34->41 43 10 other IPs or domains 34->43
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 20:48:53 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aogrgh3xzyz2vgetlpxzgggtcdwbihr4bwylqtsliz45rjtgkfiq._file
Verdict:
unknown
Similar samples:
0e3b90dd2bb885d5c780ba8d50897ab651c24644c283ed76bae6b09c25bd23c7
TrickBot
112f248bd983696a69465381b2ddadd26bb41419c649b54afd83db67bef21e37
TrickBot
411a7c0f381354be120c25158756008260b2ba2f3b2a83e4a514602ab09edbea
TrickBot
4b70ed83db2eef5aedb7a0185ecc17345c32bb0d8c218716c71d73425d32fd03
TrickBot
6386ca320b232134dbaef39b9be7bb88dec4dd72633f215fb91c543da2e36ffb
TrickBot
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
TrickBot
b29cdab25f43c9c71ef7b132b3064eb5243e82f3bde2acd6cdd48a24cf30e527
TrickBot
b3e4dfcdaf5a15bc2ccabfb4ee3e65c1c14a5d66f8becf23a4ed6a79089a81f9
TrickBot
c486a02bb56748a663dfcfca68847f33c93574aaba9d326685129d7b664abbb5
TrickBot
c826f15397da6524595b08d710f4d69a18ea5870c5ef4029b20988987461aeb0
TrickBot
+ 2 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon105 banker trojan
Link:
https://tria.ge/reports/210319-crmvzw51s6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
Unpacked files
SH256 hash:
61f0340cebc54247b62e6af0713f5793e6c7ba73bffd01a5763af6f5fdd96c3b
MD5 hash:
c78d218e7394bda271f65100f0f28f05
SHA1 hash:
9fc805d7ae14460fe5e81484e56ba1176bf4649d
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/201091f3-d111-4032-9c61-19160a2d78e3/
Parent samples :
c486a02bb56748a663dfcfca68847f33c93574aaba9d326685129d7b664abbb5
038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151
SH256 hash:
b721ac3f17dd8ac2d56aee56f2b80c5b3a435b55d80ecb1def13518a0e1476d7
MD5 hash:
f33b12558cf760252114b3c28a245bf0
SHA1 hash:
d61033c01ee93cface0fd66a945aa95e9bd8d32e
Link:
https://www.unpac.me/results/201091f3-d111-4032-9c61-19160a2d78e3/
SH256 hash:
038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151
MD5 hash:
0f342e64cf48ef4b6131f7c2f1244f70
SHA1 hash:
b22193c588a53be3a69bf939dafa6df3d6b82776
Link:
https://www.unpac.me/results/201091f3-d111-4032-9c61-19160a2d78e3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 038d131f77ce33aa98935bef9318d310ec141e3c0db0b84e4b4679d8a6665151

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1077851/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1078048/
Cape
Cape
https://www.capesandbox.com/analysis/125724/

Comments