MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884
SHA3-384 hash:	c59b1b67a3cf6a1530a253ff5d8cf4fe6bc1d85917669a526d890a1ee3bd38b87e0cb62aa1b453474ef202ab54ae34c7
SHA1 hash:	5a0e8e9cdc2a8b5a575c8f55674fa675ff49eef2
MD5 hash:	1e15caad81dbf43c24c3517c6658c138
humanhash:	alabama-november-johnny-artist
File name:	4524.js
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	352'632 bytes
First seen:	2021-07-20 18:45:45 UTC
Last seen:	2021-07-21 13:03:55 UTC
File type:	js
MIME type:	text/plain
ssdeep	6144:FIGncyVUSAPA7GJQylJhJkx+6rG2326n2/wMr/e8LvIqZwI4MyAsTfp:FIGcII+GflZe83I6Jrs9
TLSH	T16974AE90FA4021564AC36397FC1225D2FA3DC11492401165E99DA2AC7B667BCC3FFBBE
Reporter	abuse_ch
Tags:	js rob109 TrickBot

abuse_ch

TrickBot payload URLs:
http://109.248.201.26/lovemetertok.php
http://142.11.195.33/images/lovemetertok.png

TrickBot C2s:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Cerberus.18711.15857.UNOFFICIAL

Result

Verdict:

UNKNOWN

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dbnmoqgdkfwduzdbwfozxfaepvvurqf5egckamehrefvoowofcca._file

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob109 banker trojan

Link:

https://tria.ge/reports/210720-msfel64d3e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Trickbot

Malware Config

C2 Extraction:

38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Dropper Extraction:

http://109.248.201.26/lovemetertok.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

js 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884

(this sample)

URLhaus

https://urlhaus.abuse.ch/browse/tag/rob109/

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample