MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08cb300ae6bb92760d1bb263412191120bccf1593b72af35707b44c07020301d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08cb300ae6bb92760d1bb263412191120bccf1593b72af35707b44c07020301d
SHA3-384 hash: 40997dc8bced24c7318323bac09694cbb076fbe3fc2d2a1996033b3f15307b5977376843ddf16c5f55dbd38bc7730f5b
SHA1 hash: c8379dfafc1cde7b9f9fe7f0e0a02085c9d329cf
MD5 hash: 1e4f3ce667664c43b54a953e285ca63a
humanhash: equal-ceiling-romeo-west
File name:properties.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:331'776 bytes
First seen:2020-12-23 12:43:30 UTC
Last seen:2020-12-23 14:41:12 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8f95b0fc498ab282997c9bb7ad755065 (1 x TrickBot)
ssdeep 3072:Q7c3R92h54np+EBqZUOQ20dXr8SF2q68qzHo+jr8EcIV8/yFStpY4oFV1pZEruGq:xznp+P6F21rHjrKIVH4tvG1pZEiGxD
Threatray 2'965 similar samples on MalwareBazaar
TLSH 1B64CF01760084B1E35D4B306916FAE0065EAD3956E4E48FFE7D7E3A6A322C35A7B14F
Reporter JAMESWT_WT
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
510
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109169/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.72137.21299.23822.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Verdict:
8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/569171
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333647 Sample: properties.dll Startdate: 23/12/2020 Architecture: WINDOWS Score: 48 30 Multi AV Scanner detection for submitted file 2->30 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        process5 14 iexplore.exe 1 74 10->14         started        17 wermgr.exe 12->17         started        dnsIp6 28 192.168.2.1 unknown unknown 14->28 19 iexplore.exe 145 14->19         started        process7 dnsIp8 22 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49767, 49768 YAHOO-DEBDE United Kingdom 19->22 24 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49769, 49770 FASTLYUS United States 19->24 26 9 other IPs or domains 19->26
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/08cb300ae6bb92760d1bb263412191120bccf1593b72af35707b44c07020301d/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 21:02:26 UTC
File Type:
PE (Dll)
Extracted files:
33
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
TrickBot
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed
TrickBot
3b26296dff941f7057872a48fb9856c7533f939e75eb84bedcdbccf7e9e2ffc8
TrickBot
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
TrickBot
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
TrickBot
58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16
TrickBot
c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be
TrickBot
f9f065cfe7edfa8c365bf45a46fd73081af15a53b9e67fb8a76f6060b142b7dd
TrickBot
+ 2'955 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob27 banker trojan
Link:
https://tria.ge/reports/201223-2lvzg8frfa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
41.243.29.182:449
196.45.140.146:449
103.87.25.220:443
103.98.129.222:449
103.87.25.220:449
103.65.196.44:449
103.65.195.95:449
103.61.101.11:449
103.61.100.131:449
103.150.68.124:449
103.137.81.206:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
Unpacked files
SH256 hash:
9f307d2945858921a667b820720749b6224c265f7cb0674526930a77deca2cf5
MD5 hash:
a39bca831b7955f0ce4884834510fdc9
SHA1 hash:
805e8fa7b275b3b004e32f272d95c794746c59ae
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/79073cfe-6c27-4263-b240-fe11e0d031f4/
SH256 hash:
b05ac67f482be0d4babde6f47a14a3b9d67ded5e1d46c3b2a76b5b41277f8322
MD5 hash:
3c895cffc5c901860033ae3a1a576611
SHA1 hash:
83a12666096ec0956b3cae7cc21fc136fffd1bfe
Link:
https://www.unpac.me/results/79073cfe-6c27-4263-b240-fe11e0d031f4/
SH256 hash:
08cb300ae6bb92760d1bb263412191120bccf1593b72af35707b44c07020301d
MD5 hash:
1e4f3ce667664c43b54a953e285ca63a
SHA1 hash:
c8379dfafc1cde7b9f9fe7f0e0a02085c9d329cf
Link:
https://www.unpac.me/results/79073cfe-6c27-4263-b240-fe11e0d031f4/
SH256 hash:
c121a0d7620fae63f79d8a1e23560ed159b02366573493793b88663fa9331802
MD5 hash:
0fedbcac57480773eb96296c64d7efb6
SHA1 hash:
b55d5161cab372b5212856956fb3d708abe95d39
Link:
https://www.unpac.me/results/79073cfe-6c27-4263-b240-fe11e0d031f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08cb300ae6bb92760d1bb263412191120bccf1593b72af35707b44c07020301d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109169/

Comments