MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc
SHA3-384 hash: 46b68326ccd68161a4af88a3f73cdb97f182851184f5b9e8280a3fd4eb209fe55eef03ef4b086a76c8153f685eb2dbc6
SHA1 hash: 6b2b96a415e09f67139dd56a9a84053c2044f1e1
MD5 hash: 883a821723c10969d8b665a6574a8578
humanhash: gee-freddie-solar-lithium
File name:soccer.png.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:684'544 bytes
First seen:2021-11-08 16:20:14 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 17cd9f87fbb27686b2cd8f8d33695e92 (4 x TrickBot)
ssdeep 6144:1uNDZo15/Lb175yZhtHQqPm52aYYiHx/874uQYKJHD4YnYrde7:qDSHL575qLP0tKJHT1
TLSH T1B1E419199C3483ABF3ED21F6666C2FEE942781A055A1C03FA99D99D013747BBEC09713
Reporter James_inthe_box
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203332/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61894e6fa00afa9663a0fef9/reports/bed86119-0972-4757-b282-327fd5d8c689/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79e4c361-ff17-488b-9910-8c038068b880
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885403
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517875 Sample: soccer.png.dll Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        15 rundll32.exe 8->15         started        signatures5 17 rundll32.exe 10->17         started        45 Writes to foreign memory regions 12->45 47 Allocates memory in foreign processes 12->47 49 Found potential dummy code loops (likely to delay analysis) 12->49 51 Delayed program exit found 12->51 20 wermgr.exe 12->20         started        22 cmd.exe 12->22         started        24 wermgr.exe 15->24         started        26 cmd.exe 15->26         started        process6 signatures7 33 Writes to foreign memory regions 17->33 35 Allocates memory in foreign processes 17->35 28 wermgr.exe 17->28         started        31 cmd.exe 17->31         started        process8 signatures9 53 Tries to detect virtualization through RDTSC time measurements 28->53 55 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 28->55
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc/
Threat name:
Win32.Infostealer.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 16:19:24 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:soc1 banker trojan
Link:
https://tria.ge/reports/211108-ttmt9scfe7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
fcb952445e138dd50f50abe0f42d4ce2149ca82b71dfea272c6a128f0733e5d4
MD5 hash:
1876997df3b6eb6ad15aeadba62222e8
SHA1 hash:
d11ca5b0c7d0c53b378c06b3d0468e4783d3679c
Link:
https://www.unpac.me/results/6a1866ec-3fb2-41b0-a5ac-6ab713765753/
SH256 hash:
e98ca956f4f94b5c8b063327a1fe27fb804bc2e52190a68c577490c3192ae663
MD5 hash:
4b535dbe595f89c3bcaa4f43cc1323a3
SHA1 hash:
4162c873be81f5aac6ca0a1ed7f84bfe86ec4262
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a1866ec-3fb2-41b0-a5ac-6ab713765753/
Parent samples :
19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc
c8967382e53061b59cf54be076b1aa75c9dd10806e786cc745f61a3bcb7b0593
ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b
104b9976e7e50031ded3bf9532a79b45502732668f23092f33fc71cecaa79977
5190ec8f66158522da23e655a5350c5c477cdf4ddc8c64eb9306764cd72f4e2a
aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6
ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6
SH256 hash:
19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc
MD5 hash:
883a821723c10969d8b665a6574a8578
SHA1 hash:
6b2b96a415e09f67139dd56a9a84053c2044f1e1
Link:
https://www.unpac.me/results/6a1866ec-3fb2-41b0-a5ac-6ab713765753/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/19f0c6a50f5c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/203332/

Comments