MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c
SHA3-384 hash: cc3347b9b89a4014f32b41fa37a04811272ae56518c25b46a9c778e2c7c39fe62ca6cc4893b51a16f3c0461d51836851
SHA1 hash: fd9a37e271eccf9093b283645d27dcd2b8ec87e1
MD5 hash: 35bc7e8e168545658e6a52f0fd330a50
humanhash: one-apart-beryllium-zulu
File name:1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c
Download: download sample
Signature TrickBot
Create hunting rule
File size:278'528 bytes
First seen:2021-06-30 19:35:29 UTC
Last seen:2021-06-30 20:54:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ab6cea1cc57cbfd14bbb7a26003599de (1 x TrickBot)
ssdeep 6144:P0ha/tgBhq/IR3R4DPV6qPvsTgSold2CkTWA2JmOaql:chKtD/IR3SJrl0FumW
Threatray 3'320 similar samples on MalwareBazaar
TLSH 27440282F1D184F6D5DF4038415A4916EB3B7E08E3B9C5936A9821AE8F373E2F539316
Reporter Anonymous
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168977/
Detection(s):
SecuriteInfo.com.FileRepMalware.10920.6515.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4e0c0e8-a674-4df6-938b-4bc6f81a41ec
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/810188
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442599 Sample: yLl0AGORTP Startdate: 30/06/2021 Architecture: WINDOWS Score: 84 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Multi AV Scanner detection for submitted file 2->98 10 loaddll32.exe 1 2->10         started        13 rundll32.exe 2->13         started        15 regsvr32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 signatures4 106 Writes to foreign memory regions 10->106 108 Allocates memory in foreign processes 10->108 110 Delayed program exit found 10->110 19 rundll32.exe 10->19         started        22 regsvr32.exe 10->22         started        24 cmd.exe 1 10->24         started        26 3 other processes 10->26 process5 dnsIp6 100 Writes to foreign memory regions 19->100 102 Allocates memory in foreign processes 19->102 29 wermgr.exe 19->29         started        33 cmd.exe 19->33         started        104 Delayed program exit found 22->104 35 wermgr.exe 22->35         started        37 cmd.exe 22->37         started        39 rundll32.exe 24->39         started        68 60.51.47.65, 443 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 26->68 70 162.252.67.93, 443, 49842 MONSTERBROADBANDUS United States 26->70 72 13 other IPs or domains 26->72 41 iexplore.exe 150 26->41         started        signatures7 process8 dnsIp9 82 24.162.214.166, 443, 49778, 49791 TWC-11427-TEXASUS United States 29->82 84 185.56.76.28, 443, 49771, 49817 GRUPOINFOSHOPES Spain 29->84 90 8 other IPs or domains 29->90 116 Hijacks the control flow in another process 29->116 118 Writes to foreign memory regions 29->118 43 cmd.exe 29->43         started        86 74.85.157.139, 443 FUSEPR Puerto Rico 35->86 88 97.83.40.67, 443, 49815, 49818 CHARTER-20115US United States 35->88 92 12 other IPs or domains 35->92 120 Tries to detect virtualization through RDTSC time measurements 35->120 122 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 35->122 48 cmd.exe 35->48         started        124 Allocates memory in foreign processes 39->124 126 Delayed program exit found 39->126 50 wermgr.exe 39->50         started        52 cmd.exe 39->52         started        94 10 other IPs or domains 41->94 signatures10 process11 dnsIp12 74 85.187.252.141, 443, 49843 ABINTER-ASBG Bulgaria 43->74 62 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 43->62 dropped 64 C:\Users\user\AppData\...\Login Data.bak, SQLite 43->64 dropped 66 C:\Users\user\AppData\Local\...\History.bak, SQLite 43->66 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 43->112 54 conhost.exe 43->54         started        56 conhost.exe 48->56         started        76 204.138.26.60, 443, 49769, 49829 NTT-COMMUNICATIONS-2914US United States 50->76 78 ident.me 176.58.123.25, 443, 49832 LINODE-APLinodeLLCUS United Kingdom 50->78 80 11 other IPs or domains 50->80 114 Writes to foreign memory regions 50->114 58 cmd.exe 50->58         started        file13 signatures14 process15 process16 60 conhost.exe 58->60         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 19:07:01 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
083424f93427a47fe75c914dcf71091226bd598a0ce512dccd01cb0b5d48c918
TrickBot
1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
TrickBot
1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20
TrickBot
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
7500223b9a23a332ccb85b42ad8536250ba2cbd77ed8cf80c1b1a4ffe6876865
TrickBot
8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64
TrickBot
87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4
TrickBot
896b649c68a4c744c0bcab8c1918732ef1c82bb51ffaea777d3035867bd2787a
TrickBot
fd3af0e7890546cc6e6ee828df5a31a4c88c587f968b0298a672b703bf71b7e4
TrickBot
+ 3'310 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat1 banker trojan
Link:
https://tria.ge/reports/210630-b5yv5gj45n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
346089072a2cb7cca7f52b1e9001861089776a5ce59e1596b6958af8aeb91f2c
MD5 hash:
5223485c8e41393cf8680db407b341fa
SHA1 hash:
9d532e308e51044d1a7d964d1abe54dca8d90524
Link:
https://www.unpac.me/results/593e9c5b-0d21-4e2a-97df-f4a9c7cd70d7/
SH256 hash:
515a7ef34b1e3cf88ac1ae5b4675d5e546e84a2be76fcf4ebd2efc7581c01afe
MD5 hash:
f919766a234f8f5f61d44c918f449853
SHA1 hash:
83ce91cf9a5440ea08ce0f931946677b4692a60a
Link:
https://www.unpac.me/results/593e9c5b-0d21-4e2a-97df-f4a9c7cd70d7/
SH256 hash:
b10ddb423cd91a5f5e6365a4cd5f65efbd211a98fa6d0cac0091f282391f35bf
MD5 hash:
ba8c62f8fae418e1055b84179f498451
SHA1 hash:
23d43f29c6b55b03532ab2d325fb80a830ea9ef0
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/593e9c5b-0d21-4e2a-97df-f4a9c7cd70d7/
SH256 hash:
2386a40ee4a505244199bf4d0964387203f71b9ac95f63a3f5bec3066e427b55
MD5 hash:
dd384aa4249323aa7fc8244da407480f
SHA1 hash:
0e967364847a5a12eefe6c6755126bf9bb2845a5
Link:
https://www.unpac.me/results/593e9c5b-0d21-4e2a-97df-f4a9c7cd70d7/
SH256 hash:
1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c
MD5 hash:
35bc7e8e168545658e6a52f0fd330a50
SHA1 hash:
fd9a37e271eccf9093b283645d27dcd2b8ec87e1
Link:
https://www.unpac.me/results/593e9c5b-0d21-4e2a-97df-f4a9c7cd70d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168977/

Comments