MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
SHA3-384 hash: d685cd0b20e461a649ca48f9631689057a17a70d76dd997b2710b704a31ce602a290f8a41a4bc82cea5aa71b436529ad
SHA1 hash: 349ce60f7825894706a86fcb33c0639c4e2db214
MD5 hash: 2ffeb1d7d580daba1982cf0649c42f37
humanhash: seven-oven-magnesium-fifteen
File name:trickbot.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:536'576 bytes
First seen:2021-07-26 14:14:58 UTC
Last seen:2021-07-26 18:01:57 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 702626d9788561d3a5037bd68164433c (1 x TrickBot)
ssdeep 12288:co/MDxbn3SuMELwoy9FoWQbW36CPz/dri:VobniurQNTd
Threatray 901 similar samples on MalwareBazaar
TLSH T1A7B4C05374B0CD31C79E0B354E31AF6A61BFBE645EF0E58B2680FB5E5F326814426226
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll rob112 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://www.barracagiordano.com/www/portable.php
https://docs.zohopublic.com/downloaddocument.do

TrickBot C2s:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Intelligence

File Origin
# of uploads :
3
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174167/
Detection(s):
SecuriteInfo.com.ML.PE-A.4027.25621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20147773-0221-4fdf-b199-c8f8f09abc6c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/821841
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454253 Sample: trickbot.dll Startdate: 26/07/2021 Architecture: WINDOWS Score: 80 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Sigma detected: CobaltStrike Load by Rundll32 2->76 78 Sigma detected: Suspicious Call by Ordinal 2->78 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        23 rundll32.exe 12->23         started        signatures5 70 Writes to foreign memory regions 16->70 72 Allocates memory in foreign processes 16->72 25 wermgr.exe 16->25         started        29 cmd.exe 16->29         started        31 rundll32.exe 19->31         started        33 wermgr.exe 21->33         started        35 cmd.exe 21->35         started        37 wermgr.exe 23->37         started        39 cmd.exe 23->39         started        process6 dnsIp7 58 170.238.117.187, 443, 49740 America-NETLtdaBR Brazil 25->58 60 60.51.47.65, 443, 49725, 49736 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 25->60 62 6 other IPs or domains 25->62 80 May check the online IP address of the machine 25->80 82 Writes to foreign memory regions 25->82 84 Tries to detect virtualization through RDTSC time measurements 25->84 86 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->86 41 cmd.exe 1 25->41         started        88 Allocates memory in foreign processes 31->88 43 wermgr.exe 3 31->43         started        48 cmd.exe 31->48         started        signatures8 process9 dnsIp10 50 conhost.exe 41->50         started        64 185.81.51.44, 443, 49752 VIA-SMSLV Latvia 43->64 66 190.145.83.98, 443, 49756 TelmexColombiaSACO Colombia 43->66 68 18 other IPs or domains 43->68 56 C:\Users\user\AppData\...\yctrickbotwo.grf, PE32 43->56 dropped 90 Writes to foreign memory regions 43->90 52 cmd.exe 1 43->52         started        file11 signatures12 process13 process14 54 conhost.exe 52->54         started       
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=daq7s5m4t274u2dbayacvozwahtz7auzhl4difk2rk5wq2a2vcna._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
9da8a5a0b5957db6112e927b607a8fd062b870f2132c4ae3442eb63235f789e1
TrickBot
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
TrickBot
ab31cadce548ff34783ae6a838a3ece8484f4c96b02de8c9b314c0f96c064ab7
TrickBot
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
TrickBot
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
TrickBot
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
TrickBot
+ 891 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob112 banker trojan
Link:
https://tria.ge/reports/210726-jvwjr449r6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
75e46e274d626461b74c9ff206bd6de4e06cf1b44a65e5f3339992ea98b1715c
MD5 hash:
d89910ae592ce85c39e8e1a8270dfdb8
SHA1 hash:
cf514ec107a177ed5921b61ce1ee93bf52cba268
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e01c2102-89ce-44f3-a429-b31f72d91050/
Parent samples :
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
SH256 hash:
f3aa731abf6aa0a7847d0c65ee04185bcbb6446b5d4239dc5b7a26b6d10ebc57
MD5 hash:
02cb0e10e23f68a5a74053a88b6cbe6b
SHA1 hash:
647506f03188f0c336c43e8a7b39a6b6c43b42b8
Link:
https://www.unpac.me/results/e01c2102-89ce-44f3-a429-b31f72d91050/
SH256 hash:
019d078098150a574d6f7e66b5eaef5a1cd2aca48f9b64ca921a4b7b0925bf82
MD5 hash:
4be792c280e767937b4efb6d345d2492
SHA1 hash:
3e1836e5c6f1a07bb221de1c2ef2f120d3dff30e
Link:
https://www.unpac.me/results/e01c2102-89ce-44f3-a429-b31f72d91050/
SH256 hash:
84cb6130b1c52eeef0a488eead2f133bfd1c20b5a1d88a15605ee6264779aaa4
MD5 hash:
21df5265dd5cc719b10e8ed8de1ea32a
SHA1 hash:
1b3f261de08eee825bf28b7df9dfff2e4bf55de4
Link:
https://www.unpac.me/results/e01c2102-89ce-44f3-a429-b31f72d91050/
SH256 hash:
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
MD5 hash:
2ffeb1d7d580daba1982cf0649c42f37
SHA1 hash:
349ce60f7825894706a86fcb33c0639c4e2db214
Link:
https://www.unpac.me/results/e01c2102-89ce-44f3-a429-b31f72d91050/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Java Script (JS) js a574f118b80d349c10890f245a4a11d867942bfc1fb62f8022b50b85e4d12276

TrickBot

DLL dll 1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a

(this sample)

  
Dropped by
SHA256 a574f118b80d349c10890f245a4a11d867942bfc1fb62f8022b50b85e4d12276
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174167/

Comments