MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277
SHA3-384 hash: fc2262ec4841e6b82008e2561221334f6c47c919787ec4b5fd1fc18fffa6ce5f4553f1eeae99b518144e7abe766ba5fe
SHA1 hash: f050b4bc1e583400fd687eb174770692753d1700
MD5 hash: a784f1a3c6d9391c65ffba7818168e25
humanhash: victor-fourteen-beryllium-failed
File name:a784f1a3c6d9391c65ffba7818168e25
Download: download sample
Signature TrickBot
Create hunting rule
File size:532'480 bytes
First seen:2021-09-23 08:41:35 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5c9a9773c96ef9c47915be337e1489a1 (6 x TrickBot)
ssdeep 6144:tIl3f5on8R0CBtsabvbn0iRugpw8mI3R5y4MAIJ+CczfBsx2X/HSpu9SiWaKMVe1:tk32q0CB5fwq6cBsxsPUmYa1B3js
Threatray 1'288 similar samples on MalwareBazaar
TLSH T1C9B4CF42B2C0C076E27F537149775B5A26AEFD248BF1A94BB744BE3D0F35291852EA03
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 dll exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190691/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.4c.24101.28805.UNOFFICIAL
Create hunting rule

Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16216596-b7b4-4cff-841a-84aadeeb6eaa
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856309
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488740 Sample: TWY64j9zbc Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 rundll32.exe 9->15         started        18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        signatures5 74 Writes to foreign memory regions 15->74 76 Allocates memory in foreign processes 15->76 78 Queues an APC in another process (thread injection) 15->78 22 wermgr.exe 15->22         started        26 cmd.exe 15->26         started        28 rundll32.exe 18->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 48 46.99.175.217, 443, 49734, 49737 IPKO-ASAL Albania 22->48 50 194.146.249.137, 443, 49747 VIRTUAOPERATOR-ASPL Poland 22->50 52 8 other IPs or domains 22->52 64 May check the online IP address of the machine 22->64 66 Tries to detect virtualization through RDTSC time measurements 22->66 68 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 22->68 70 Writes to foreign memory regions 28->70 72 Allocates memory in foreign processes 28->72 34 wermgr.exe 28->34         started        38 cmd.exe 28->38         started        signatures8 process9 dnsIp10 42 105.27.205.34, 443, 49753 SEACOM-ASMU Mauritius 34->42 44 128.201.76.252, 443, 49735, 49740 PedroFArrudaJuniorMEBR Brazil 34->44 46 7 other IPs or domains 34->46 62 Writes to foreign memory regions 34->62 40 svchost.exe 34->40         started        signatures11 process12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 08:42:06 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201
TrickBot
135dfd26acc2ab044b4159e7e0da289e2c7835c4049100106a00ca7d232bddea
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
TrickBot
c66a20d9e2351668f01bf739263433d42206f1d5302114f72497df5104063ee0
TrickBot
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
TrickBot
fdbbfcaac090ccd1b7ce3289ea862e5c8f0ced4318f368db0e6976df950e9706
TrickBot
ff2e1604b5ab04fc43039d5f94d08073f756115b1018846a253c0ad93ed94f8b
TrickBot
+ 1'278 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob133 banker trojan
Link:
https://tria.ge/reports/210923-kl1lqadfh3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
6235365fae1fcaa6e8f3343e765ef47eab65dc17d9820834a6e72b4929b275d0
MD5 hash:
b96a0c7500cdd30940f9d3b67c320318
SHA1 hash:
adbbd1371cff40c59d2f5497ab5b0988e9897e74
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b59f7d94-d727-49b0-b43e-6ed8d4280aed/
Parent samples :
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
fdbbfcaac090ccd1b7ce3289ea862e5c8f0ced4318f368db0e6976df950e9706
135dfd26acc2ab044b4159e7e0da289e2c7835c4049100106a00ca7d232bddea
0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277
SH256 hash:
ba545e55228cfc740224d9e71fe535d8a61aa420bc7291e51976627c60560111
MD5 hash:
f7a03324b77866ca1f90f8997e371e4b
SHA1 hash:
9162794fefe5a8a20264a07fe8fe75c10e8894d8
Link:
https://www.unpac.me/results/b59f7d94-d727-49b0-b43e-6ed8d4280aed/
SH256 hash:
75bea7e6e72fc4fcbd5fb4bc5e4adb274b89acec08b50890212b2c4fa3586e41
MD5 hash:
8fe3f8f60b6658aec777f30282b32425
SHA1 hash:
33b2c8dd7dea6755ffadaa9e81acbea0cd620b5a
Link:
https://www.unpac.me/results/b59f7d94-d727-49b0-b43e-6ed8d4280aed/
SH256 hash:
5e1d15a0f3ce1f88516b539b6f28a210385bafc05cb4399ecd07389619d051e7
MD5 hash:
c6fc9418fb7b4b970923b1a634bd0903
SHA1 hash:
024822d0a0091823083054fb47900b8cd4a658a2
Link:
https://www.unpac.me/results/b59f7d94-d727-49b0-b43e-6ed8d4280aed/
SH256 hash:
0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277
MD5 hash:
a784f1a3c6d9391c65ffba7818168e25
SHA1 hash:
f050b4bc1e583400fd687eb174770692753d1700
Link:
https://www.unpac.me/results/b59f7d94-d727-49b0-b43e-6ed8d4280aed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190691/

Comments


Avatar
zbet commented on 2021-09-23 08:41:36 UTC

url : hxxp://5.181.80.113/images/inlinelots.png