MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
SHA3-384 hash: 94fe853550b4ccb95edfead84fdf740259aabab8764f071cb872a68c22bfe5753fd5167f4c0ae0a4c79f8919e7a8ef48
SHA1 hash: 1aca647bd4af908ebd27f283a1755d6c2fd68227
MD5 hash: e5ec8603bbcfe3820c59749a24641570
humanhash: salami-quebec-north-twelve
File name:zoom.doc
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'010'688 bytes
First seen:2021-08-03 18:44:19 UTC
Last seen:2021-08-04 07:48:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 805a20dd232c79743bdd30eee2ab28e2 (1 x TrickBot)
ssdeep 24576:sMX4Q2OCU9/pFEyQdAFs6r8QaWpusNV01YP:L/2OCg/4//Cng+0
Threatray 3'675 similar samples on MalwareBazaar
TLSH T1A825AE113AC1C036E16E3136451AE77866FEA8301FF59BCB6FD46A7D1E345C29A3870A
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll rob119 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://149.28.106.202/incredible.php
http://149.28.106.202/zoom.doc

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176160/
Detection(s):
SecuriteInfo.com.generic.ml.16398.24132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16d3065c-4a60-4389-a68f-700583ec5c46
Result
Threat name:
Unknown
Detection:
unknown
Classification:
n/a
Score:
1 / 100
Link:
https://www.joesandbox.com/analysis/826459
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-03 18:45:06 UTC
AV detection:
5 of 28 (17.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=blox547fp7m2mgn6dpx5nx3vtjj3koksytbljiipvto55xgfc5ga._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
TrickBot
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
TrickBot
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
TrickBot
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
TrickBot
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
TrickBot
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
TrickBot
dbdf67590cfb1a76b02700a7c91c11ddf0c75f5963e6d56020e983e15a65c5d9
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
+ 3'665 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob119 banker trojan
Link:
https://tria.ge/reports/210803-xklg89mhd6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
471dfb07e18188173c0bd8a0b374f042d8fdfc53343c150c474a24aaf643b4f7
MD5 hash:
077afccef2d2c60e6ccd659cd5a814db
SHA1 hash:
82dac48b62c5af29c8f4f7c2fe1e284e99bce746
Link:
https://www.unpac.me/results/81936a45-1df5-49a1-aa02-dfedc0a8ddb4/
SH256 hash:
3591939c18568e67c67a771dc202f31cde6ab8ee04008f58eac7d7b8e733b1f4
MD5 hash:
19168017dea36fa88d1231377b641997
SHA1 hash:
7bdd47f58501c8409ed62e732bf52b81de0ce17c
Link:
https://www.unpac.me/results/81936a45-1df5-49a1-aa02-dfedc0a8ddb4/
SH256 hash:
b86ccd411ba4ac9f3ee0bfd6c613ffa056ae65ad45a60d469e195687ec7f8b8e
MD5 hash:
ced6fc4a84a37aa0cccaca1dbe49848f
SHA1 hash:
68dce247c34649a020cbd7ec7481bc3366993189
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/81936a45-1df5-49a1-aa02-dfedc0a8ddb4/
SH256 hash:
5ab120e7afdf5f5483b37308f95c8af0c9b48e8e63976ef8f83c2bfdc9dd2323
MD5 hash:
eebe8fb258d4ebf2e23be395b364f38b
SHA1 hash:
072db9fe932fc4f888751c0e8ba51affdcc08f55
Link:
https://www.unpac.me/results/81936a45-1df5-49a1-aa02-dfedc0a8ddb4/
SH256 hash:
0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
MD5 hash:
e5ec8603bbcfe3820c59749a24641570
SHA1 hash:
1aca647bd4af908ebd27f283a1755d6c2fd68227
Link:
https://www.unpac.me/results/81936a45-1df5-49a1-aa02-dfedc0a8ddb4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0add7ef3e57f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

TrickBot

Java Script (JS) js 75577acda5585610ed65bdd31455a730b28e41b4336b88c608be9ff1307d4398

TrickBot

DLL dll 0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/host/149.28.106.202/
  
Dropped by
SHA256 75577acda5585610ed65bdd31455a730b28e41b4336b88c608be9ff1307d4398
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176160/
  
URLhaus
https://urlhaus.abuse.ch/url/1503102/

Comments