MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
SHA3-384 hash: 730db84602566f34c7790a6bc1ec6a2c8754db6a8503ece2fda4f1a3ece90da06120282d843e39e90a90ac2f8d4ce5b2
SHA1 hash: 68c3b2bb07d2f05e6c469a5f2a208494c37c22f8
MD5 hash: 4d8bfe6d8032b97fc117edce65acc3ca
humanhash: missouri-kilo-connecticut-sink
File name:1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
Download: download sample
Signature TrickBot
Create hunting rule
File size:708'617 bytes
First seen:2021-06-28 22:16:59 UTC
Last seen:2021-06-28 22:38:34 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7414bf5b01ef509d8291ea6d47664bab (1 x TrickBot)
ssdeep 12288:pBHmmzAbDG5sjKfKraaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaJ:sbD9usug
Threatray 813 similar samples on MalwareBazaar
TLSH DCE4AE82B6A3C2F6C19E21302FA72EFD4BFEBC1547A1E583D784D92C4872752536A315
Reporter Anonymous
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168638/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader33.35922.43.16722.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b064b112-47a4-4ce3-bf69-859ef9d4de9d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/809040
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441451 Sample: FR1D7MsfxA Startdate: 29/06/2021 Architecture: WINDOWS Score: 92 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Sigma detected: Suspect Svchost Activity 2->70 72 Sigma detected: Suspicious Svchost Process 2->72 8 loaddll32.exe 1 2->8         started        10 regsvr32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 rundll32.exe 8->14         started        17 regsvr32.exe 8->17         started        19 iexplore.exe 1 73 8->19         started        21 cmd.exe 1 8->21         started        signatures5 84 Writes to foreign memory regions 14->84 86 Allocates memory in foreign processes 14->86 23 wermgr.exe 14->23         started        27 wermgr.exe 17->27         started        29 iexplore.exe 155 19->29         started        31 rundll32.exe 21->31         started        process6 dnsIp7 52 203.176.138.46, 443, 49766 MEKONGNET-ADC-AS-APANGKORDATACOMMUNICATIONKH Cambodia 23->52 54 78.186.110.14, 447 TTNETTR Turkey 23->54 60 11 other IPs or domains 23->60 76 Hijacks the control flow in another process 23->76 78 Writes to foreign memory regions 23->78 33 svchost.exe 10 23->33         started        38 svchost.exe 23->38         started        56 116.212.152.225, 443, 49756, 49776 MEKONGNET-ADC-AS-APANGKORDATACOMMUNICATIONKH Cambodia 27->56 58 220.82.64.198, 443, 49744, 49755 HSU18035-AS-KRHANSEOUNIVERSITYKR Korea Republic of 27->58 62 6 other IPs or domains 27->62 80 Tries to detect virtualization through RDTSC time measurements 27->80 82 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 27->82 40 svchost.exe 10 27->40         started        42 svchost.exe 27->42         started        64 10 other IPs or domains 29->64 signatures8 process9 dnsIp10 50 12.23.113.92, 443, 49771, 49777 ATT-INTERNET4US United States 33->50 44 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 33->44 dropped 46 C:\Users\user\AppData\...\Login Data.bak, SQLite 33->46 dropped 48 C:\Users\user\AppData\Local\...\History.bak, SQLite 33->48 dropped 74 Tries to harvest and steal browser information (history, passwords, etc) 33->74 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 18:45:00 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2
TrickBot
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
TrickBot
3ab24a8fd91dc87da83930eb33c9bab160031eaca849f9ecc32448b386e2f724
TrickBot
3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
TrickBot
63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
697dea4b154178e8de096c66167b539aa4465155d294b11765f1a1886eb7c56d
TrickBot
7f77b60f4ba221f7a29938d0b3e8f568a4ecb4f010a122770a4173cd96d32c4e
TrickBot
a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d
TrickBot
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
TrickBot
+ 803 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sp2 banker trojan
Link:
https://tria.ge/reports/210628-kn7ry1kv9x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
Unpacked files
SH256 hash:
d5d0597a298b39af4ab96fea4ed4172378b5ce2327e991f1f23a823805f0bb2f
MD5 hash:
bbd92c224a9b31b12bf7b0a782555258
SHA1 hash:
fd80a9735d84f6b2a7b34b9ed7d486d17732c79f
Link:
https://www.unpac.me/results/7065d53a-f0d6-4edc-82eb-b68ac59768c4/
SH256 hash:
0c6c26ca1a3215e846042390c8022f2026c876be634ed187341da8b57e4e1cf5
MD5 hash:
af43deba1a3727ca561a294b237ce312
SHA1 hash:
ed134f87cb14228bea8af997b681f49ad1c0565b
Link:
https://www.unpac.me/results/7065d53a-f0d6-4edc-82eb-b68ac59768c4/
SH256 hash:
db4867e6d8095f133cec557248681f566cc7b58a58c9d524821ff34c3febf39e
MD5 hash:
29f696fe3cb90202f326d58325a4d279
SHA1 hash:
9127aef85bcd0ef3b3970c448e44d93a6ee35a2c
Link:
https://www.unpac.me/results/7065d53a-f0d6-4edc-82eb-b68ac59768c4/
SH256 hash:
f2ea07be3afc91219bc4ccadb9435f9d6e08538753b5a5dfca9822520ee99d2a
MD5 hash:
2b661fc5acdfdf4ae0df0ec5602cd94c
SHA1 hash:
3baa7bdeb81ec59c200f68ec52d8b07cc7cc665b
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7065d53a-f0d6-4edc-82eb-b68ac59768c4/
SH256 hash:
1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
MD5 hash:
4d8bfe6d8032b97fc117edce65acc3ca
SHA1 hash:
68c3b2bb07d2f05e6c469a5f2a208494c37c22f8
Link:
https://www.unpac.me/results/7065d53a-f0d6-4edc-82eb-b68ac59768c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168638/

Comments