MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12c758880559bf8d54aa665bf63bd8fb3009d9df405515a55a20438509c4fbf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12c758880559bf8d54aa665bf63bd8fb3009d9df405515a55a20438509c4fbf5
SHA3-384 hash: edfc4af895ab7e660c1d2e5601d4c44600e7ec5c755ebe9abfdc90fb08d9d9115cd947a82fff1404546c69f26da75bae
SHA1 hash: 75dec9b5253ba55a6fecc2e96a704e654785e7d9
MD5 hash: 1f0d7f3144ba0d50374f61c941f5a94e
humanhash: johnny-crazy-nevada-magazine
File name:1f0d7f3144ba0d50374f61c941f5a94e.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:675'840 bytes
First seen:2021-03-13 08:22:00 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 25a3bf96f64b55a69d3aaf04f6c99acc (3 x TrickBot)
ssdeep 12288:n+QjOdLU2K5HmTbKbKKMFZys7tmwdl71SyDe3/9ie:+/LUfU6MjvDoyDe3F
Threatray 1 similar samples on MalwareBazaar
TLSH 53E46C8EE162C0B1E075A1B4AF075B35919DDA913E2F898392E4FD4ACD237D1865F3C2
Reporter abuse_ch
Tags:dll rob75 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124070/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.22489.10332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/638512
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368233 Sample: Lh11EbTM0B.dll Startdate: 13/03/2021 Architecture: WINDOWS Score: 48 29 Multi AV Scanner detection for submitted file 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 20 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 2 83 10->16         started        18 wermgr.exe 12->18         started        process6 20 iexplore.exe 5 155 16->20         started        dnsIp7 23 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49740, 49741 FASTLYUS United States 20->23 25 geolocation.onetrust.com 104.20.184.68, 443, 49725, 49726 CLOUDFLARENETUS United States 20->25 27 8 other IPs or domains 20->27
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12c758880559bf8d54aa665bf63bd8fb3009d9df405515a55a20438509c4fbf5/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 18:32:25 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cldvrcaflg7y2vfkmzn7mo6y7myatwo7ibkrljk2ebbykcoe7p2q._file
Verdict:
malicious
Similar samples:
b524ed1cc22253f09d56f54d8ded4566b63352ff739f58de961f8a5bebb0fad9
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob28 banker trojan
Link:
https://tria.ge/reports/210313-lvzfcx18sx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
154.79.252.132:449
179.191.108.58:449
200.6.169.124:443
103.76.20.226:443
80.78.77.116:449
80.78.75.246:443
45.234.248.66:449
187.190.116.59:443
185.234.72.84:443
36.94.202.131:443
103.91.244.102:449
168.232.188.88:449
103.73.101.98:449
173.81.4.147:449
202.142.151.190:449
118.67.216.238:449
108.170.20.72:443
85.159.214.61:443
36.92.93.5:449
79.122.166.236:449
201.184.190.59:449
111.235.66.83:443
187.19.200.154:449
186.195.199.238:449
103.84.164.87:443
117.212.193.62:449
190.152.71.230:443
37.235.230.123:449
103.119.117.42:443
177.47.88.62:443
103.146.2.152:449
102.164.211.138:449
182.48.66.106:443
178.54.230.164:443
221.176.88.201:449
167.179.194.205:443
179.60.243.52:443
Unpacked files
SH256 hash:
25f1d960c6f37d4816e01c99c07cdec5bb3e251a2ef785cdd5991594f11fc4c0
MD5 hash:
35128c51400f8b3e26b1b1cdd39eedea
SHA1 hash:
b8ebbf449dc8d0fac47b694be3776cf11cc1fa85
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/89ccdb4d-1823-426f-ab40-ac77ca56fd18/
SH256 hash:
6a9c2974d47027777851f36b82df2d696eefd7469beff5f972137336d8acb98f
MD5 hash:
5f0825072cc0ee7f1c4c2c994caedf6c
SHA1 hash:
b406b4ace1388a32319f84e20038e570ea139426
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/89ccdb4d-1823-426f-ab40-ac77ca56fd18/
SH256 hash:
fe3ed7a985dba941da04392628af4ec87ad62a2fe44a4a68cd8625dd489d9d5a
MD5 hash:
5131a3989a8e29ffa8cbd4ce15eb67cd
SHA1 hash:
37156e74250b5e9a9bf9e94a3e1e1aa387b45191
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/89ccdb4d-1823-426f-ab40-ac77ca56fd18/
SH256 hash:
12c758880559bf8d54aa665bf63bd8fb3009d9df405515a55a20438509c4fbf5
MD5 hash:
1f0d7f3144ba0d50374f61c941f5a94e
SHA1 hash:
75dec9b5253ba55a6fecc2e96a704e654785e7d9
Link:
https://www.unpac.me/results/89ccdb4d-1823-426f-ab40-ac77ca56fd18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12c758880559bf8d54aa665bf63bd8fb3009d9df405515a55a20438509c4fbf5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 12c758880559bf8d54aa665bf63bd8fb3009d9df405515a55a20438509c4fbf5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1061845/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1061846/
Cape
Cape
https://www.capesandbox.com/analysis/124070/

Comments