MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201
SHA3-384 hash: 00225934c6adaa5aedb57352fab905a812077a043dbcd112488055c2ce1ae7977eecf5e20cb4d737d33683351b15a0ae
SHA1 hash: 900bb57984fe96a3f26c910cffc3483f5407ad0d
MD5 hash: b69e752df013f0ae7e89846b1a90272d
humanhash: may-oklahoma-orange-double
File name:QuatRotDemo.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'180'672 bytes
First seen:2021-08-22 20:29:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 05bc8af9bf5c786dfa8271d68f7b9019 (4 x TrickBot)
ssdeep 12288:KtbEazZXGqs9onpRXBTlTGkxiLU6iRW9vLYHILxKdW7T09VuObClb4cCwOBCkjZl:KbEqXGo7BTlT0AdqYHILxCA/U1
Threatray 1'161 similar samples on MalwareBazaar
TLSH T1B3459D1136D4C076D27A35B1451AE7BA26E9A8315FF682CB6FD41E3D1F346C29A3830B
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter James_inthe_box
Tags:dll exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181304/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46842577.29179.17299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5fc5fcf-4a0d-43f9-98d6-5bc431bc6e5f
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837161
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 469592 Sample: QuatRotDemo.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Found malware configuration 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 3 other signatures 2->84 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 9->20         started        signatures5 22 rundll32.exe 15->22         started        70 Writes to foreign memory regions 17->70 72 Allocates memory in foreign processes 17->72 74 Queues an APC in another process (thread injection) 17->74 76 Delayed program exit found 17->76 25 wermgr.exe 17->25         started        28 cmd.exe 17->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 90 Writes to foreign memory regions 22->90 92 Allocates memory in foreign processes 22->92 34 wermgr.exe 22->34         started        38 cmd.exe 22->38         started        64 185.56.175.122, 443, 49714, 49718 VIRTUAOPERATOR-ASPL Poland 25->64 66 5.152.175.57, 443, 49725 SKYLOGIC-ASIT Spain 25->66 68 8 other IPs or domains 25->68 94 May check the online IP address of the machine 25->94 96 Tries to detect virtualization through RDTSC time measurements 25->96 98 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->98 40 svchost.exe 25->40         started        signatures8 process9 dnsIp10 58 105.27.205.34, 443, 49721 SEACOM-ASMU Mauritius 34->58 60 216.166.148.187, 443 CYBERNET1US United States 34->60 62 7 other IPs or domains 34->62 86 Hijacks the control flow in another process 34->86 88 Writes to foreign memory regions 34->88 42 svchost.exe 5 34->42         started        46 svchost.exe 34->46         started        48 svchost.exe 34->48         started        signatures11 process12 file13 50 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 42->50 dropped 52 C:\Users\user\AppData\...\Login Data.bak, SQLite 42->52 dropped 54 C:\Users\user\AppData\Local\...\History.bak, SQLite 42->54 dropped 56 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 42->56 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 42->100 signatures14
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 11:10:07 UTC
File Type:
PE (Dll)
Extracted files:
41
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
33fcd639567316ceffba1be151d878ece3af93f5a6949be1387d3c98435c5bf9
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5
TrickBot
9c8e26bdf89634254162a5529bd2c8c3bc4c2215be3d7cb39a47fcd0327c045d
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
+ 1'151 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob125 banker trojan
Link:
https://tria.ge/reports/210822-htchz9b6jj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
667dec1d877b05e74694224bd9612c4c5639e7e5eb9370bb3c4bab04945ac579
MD5 hash:
637d8774ce9c85a5f9880078f18ce461
SHA1 hash:
a3c05d198c3f7ec5162d0b2ec0be4c78dbb547a4
Link:
https://www.unpac.me/results/34dbe12b-c3e7-4e5e-b7bc-e8e51f3fb8e7/
SH256 hash:
ce61b15cc9513c1f7cbb74fa4222feea49d7899c3b253915c083bca0bee8d67f
MD5 hash:
8c7f1ca38ac2fc31d4a07bf8274e9fa2
SHA1 hash:
8f0f67bd9d46eed8a1bf7559fae8de6210ec6cca
Link:
https://www.unpac.me/results/34dbe12b-c3e7-4e5e-b7bc-e8e51f3fb8e7/
SH256 hash:
fe452401869013c2a0bbd767e7b13ccd57e09eff4185a9cf1a7e4d2b1e8f69bf
MD5 hash:
9bd90889f3d69beaa81490e37d0ab7f2
SHA1 hash:
643452d9626813face64787f7cdb0bf59808b0f3
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/34dbe12b-c3e7-4e5e-b7bc-e8e51f3fb8e7/
Parent samples :
33fcd639567316ceffba1be151d878ece3af93f5a6949be1387d3c98435c5bf9
85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5
03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201
ff2e1604b5ab04fc43039d5f94d08073f756115b1018846a253c0ad93ed94f8b
SH256 hash:
28204ec5cb8df6974e6a6c648b0769de16bdbc837296870d2ea5e06f824d7857
MD5 hash:
a6499c0f09a39a97012f1b872569cab5
SHA1 hash:
59deccf6178cf8ef4f120aa464dfd87c05aee8e7
Link:
https://www.unpac.me/results/34dbe12b-c3e7-4e5e-b7bc-e8e51f3fb8e7/
SH256 hash:
03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201
MD5 hash:
b69e752df013f0ae7e89846b1a90272d
SHA1 hash:
900bb57984fe96a3f26c910cffc3483f5407ad0d
Link:
https://www.unpac.me/results/34dbe12b-c3e7-4e5e-b7bc-e8e51f3fb8e7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/03b58de7881d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/181304/

Comments