MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a9642bbe79ad2c9c65d52a97e099b3e84ae8825a25dd40ebb6ba12797f2ff4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a9642bbe79ad2c9c65d52a97e099b3e84ae8825a25dd40ebb6ba12797f2ff4e
SHA3-384 hash: 6fd168dfb0725590c73207ad652af46d11c7891b2e08d2f7f801130501c20dbea7240bec0b62756794bb9bee6641bbd1
SHA1 hash: e159a8a8b6c1e60e40ff493bc528b51f8eb8a500
MD5 hash: c957b150c5a36d00f1c964d56a151997
humanhash: beer-potato-ohio-mango
File name:c957b150c5a36d00f1c964d56a151997.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:305'664 bytes
First seen:2021-03-20 08:23:57 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 6eaded21fcdb132a5ae4e0f258cad60f (2 x TrickBot)
ssdeep 6144:iSeXBXox+YVJNBvOsVT8pj0gMtAYl+k/gvXKyEUvi6Fo:PexXmHBmoTMMtAQ+kYvXJEUvi6Fo
TLSH 7A54E040B2508071CD5A273158779E254E7F7E50BEB4A58F8F6A313DBF733C2AA11A46
Reporter abuse_ch
Tags:a155 dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125771/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21791.7393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eec48c72-cd66-48a7-85c2-dd8f05921dcf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/646811
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372374 Sample: n64QPFbX1S.dll Startdate: 20/03/2021 Architecture: WINDOWS Score: 48 29 Multi AV Scanner detection for submitted file 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 2 83 10->16         started        18 cmd.exe 12->18         started        process6 20 iexplore.exe 5 159 16->20         started        dnsIp7 23 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49736, 49737 FASTLYUS United States 20->23 25 geolocation.onetrust.com 104.20.185.68, 443, 49724, 49725 CLOUDFLARENETUS United States 20->25 27 8 other IPs or domains 20->27
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a9642bbe79ad2c9c65d52a97e099b3e84ae8825a25dd40ebb6ba12797f2ff4e/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 20:48:49 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dklefo7htljmtrs5kkux4cm3h2ck5cbfujo5idv3noqspf7s75ha._file
Verdict:
unknown
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon155 banker trojan
Link:
https://tria.ge/reports/210320-866lk44vze/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
68.201.55.46:443
71.42.188.85:443
50.197.243.125:443
70.119.149.64:443
71.66.92.190:443
137.27.148.14:443
156.19.152.218:443
73.103.36.158:443
67.212.241.178:443
65.158.28.70:443
96.88.45.25:443
50.84.233.214:443
73.6.0.166:449
50.75.131.6:443
72.128.158.51:443
104.4.84.130:443
108.161.11.44:443
75.118.158.174:443
67.48.50.58:443
47.51.21.82:443
72.131.216.28:443
184.188.210.34:449
71.40.62.107:443
98.6.49.38:443
67.48.54.37:443
24.227.152.42:443
47.37.90.57:443
70.118.50.62:443
Unpacked files
SH256 hash:
1b7da871f1a177984dd2e0cdcf71ceedeb1ab30689c8626194c27e38261b432e
MD5 hash:
8eab380c22530894ae757acbd55e545a
SHA1 hash:
20415ce93b8dfb6c0cd089ab8ca8807e40382a80
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4f38431-dd75-4b4f-a491-f3931908eb80/
SH256 hash:
1a9642bbe79ad2c9c65d52a97e099b3e84ae8825a25dd40ebb6ba12797f2ff4e
MD5 hash:
c957b150c5a36d00f1c964d56a151997
SHA1 hash:
e159a8a8b6c1e60e40ff493bc528b51f8eb8a500
Link:
https://www.unpac.me/results/b4f38431-dd75-4b4f-a491-f3931908eb80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a9642bbe79ad2c9c65d52a97e099b3e84ae8825a25dd40ebb6ba12797f2ff4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 1a9642bbe79ad2c9c65d52a97e099b3e84ae8825a25dd40ebb6ba12797f2ff4e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1077847/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1077955/
  
URLhaus
https://urlhaus.abuse.ch/url/1078041/
  
URLhaus
https://urlhaus.abuse.ch/url/1078049/
Cape
Cape
https://www.capesandbox.com/analysis/125771/

Comments