MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 051859a76d64d4bdeec4bb43cad7d6301f83a62b5b716393af5f3d7b80440b41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 051859a76d64d4bdeec4bb43cad7d6301f83a62b5b716393af5f3d7b80440b41
SHA3-384 hash: 5ea78a1db3dac93120ea86f0c69503add787a99f2b1e7fe8f0ef494acdb8c0409f3dd1e20071c0dd70883b74a3bb0b60
SHA1 hash: 9c309e3f070ec763fd05bdae54d459def349e0e1
MD5 hash: 5091a400a52fa02348af0d2077d2be51
humanhash: march-cold-snake-east
File name:SecuriteInfo.com.Variant.Razy.847374.25991.6997
Download: download sample
Signature TrickBot
Create hunting rule
File size:359'424 bytes
First seen:2021-03-15 17:52:29 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 61a0ecfcf6fd30fcdee45e90e04a32c9 (3 x TrickBot)
ssdeep 6144:2LAMibxy5iv9BD/zFxznh3DmzrBuno6bpnUFd5gUHq:qAfbxbvDjNTmzrBunofFds
TLSH D174AE20F5C88816C9FD163728B0FFC2922DF7DD2F1A5667BB9C558E46258619288F33
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.847374.25991.6997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef2c9475-7c30-4efc-9f82-1911a97df70c
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/639852
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/051859a76d64d4bdeec4bb43cad7d6301f83a62b5b716393af5f3d7b80440b41/
Threat name:
Win32.Trojan.TrickBotCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 22:14:24 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aumftj3nmtkl33wexnb4vv6wgapyhjrllnywhe5pl46xxacebnaq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon75 banker trojan
Link:
https://tria.ge/reports/210315-6bt1q2ckja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
a845a3017c418d30da95de049ab9b83c2342641ad0f760194bf7f6392cede6d3
MD5 hash:
bc24f0a61d68fca67248858bb8354597
SHA1 hash:
3031c12d21ed17d34c85fbee5bc1df214a9015d3
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/93ba94ac-bd06-4cc3-8901-b22681c90939/
SH256 hash:
f8b84375825f317b9d44d7659507d7d2aa61e05e0add5cc5c87ae81a09e4b89b
MD5 hash:
a8ce0018977997e44569d0a14bf6f377
SHA1 hash:
76132c3fc87038ee1668b47c11125300cdd373d3
Link:
https://www.unpac.me/results/93ba94ac-bd06-4cc3-8901-b22681c90939/
SH256 hash:
051859a76d64d4bdeec4bb43cad7d6301f83a62b5b716393af5f3d7b80440b41
MD5 hash:
5091a400a52fa02348af0d2077d2be51
SHA1 hash:
9c309e3f070ec763fd05bdae54d459def349e0e1
Link:
https://www.unpac.me/results/93ba94ac-bd06-4cc3-8901-b22681c90939/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/051859a76d64d4bdeec4bb43cad7d6301f83a62b5b716393af5f3d7b80440b41

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 051859a76d64d4bdeec4bb43cad7d6301f83a62b5b716393af5f3d7b80440b41

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1068968/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1068979/
  
URLhaus
https://urlhaus.abuse.ch/url/1070199/

Comments