MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9
SHA3-384 hash: 9e9f48d9aac2a847a0c571d4fcee00eabfa8fc3d53dc42e13690a684c24c0356df1b84defe704a892c335665409b060f
SHA1 hash: a61cda70371db1c12965c236bb485392df957ce7
MD5 hash: 37e26534b70abd664cfed4961ad6ecbf
humanhash: wisconsin-music-alanine-pennsylvania
File name:37e26534b70abd664cfed4961ad6ecbf.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:688'640 bytes
First seen:2021-08-16 17:52:53 UTC
Last seen:2021-08-16 20:49:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9330bf385780db42e73f6bd2f0835d5b (1 x TrickBot)
ssdeep 12288:T8F4fHXi7upUbuedoBYi5SG//xm6e2vJQbPzSzTu1XLxh2w:g4aCdsjmHxw2vJ8S2FX2
Threatray 5 similar samples on MalwareBazaar
TLSH T1BEE4D0273C91502AE46C41BE127DB718CAEEE41242F5E54FFDD5E1F80CA28854AEDA1F
Reporter abuse_ch
Tags:dll rob122 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179676/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24928.8340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cda92b62-5d4c-4697-afef-2826d946e4c6
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833759
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466193 Sample: bkkzn7fYoN.dll Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 5 other signatures 2->67 9 loaddll32.exe 1 2->9         started        12 rundll32.exe 2->12         started        process3 signatures4 79 Writes to foreign memory regions 9->79 81 Allocates memory in foreign processes 9->81 14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        19 iexplore.exe 1 73 9->19         started        21 3 other processes 9->21 process5 signatures6 23 rundll32.exe 14->23         started        57 Writes to foreign memory regions 16->57 59 Allocates memory in foreign processes 16->59 26 cmd.exe 16->26         started        28 wermgr.exe 16->28         started        30 iexplore.exe 2 151 19->30         started        33 WerFault.exe 23 9 21->33         started        process7 dnsIp8 75 Writes to foreign memory regions 23->75 77 Allocates memory in foreign processes 23->77 35 wermgr.exe 23->35         started        39 cmd.exe 23->39         started        49 dart.l.doubleclick.net 142.250.186.38, 443, 49736, 49737 GOOGLEUS United States 30->49 51 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49748, 49749 FASTLYUS United States 30->51 55 12 other IPs or domains 30->55 53 192.168.2.1 unknown unknown 33->53 signatures9 process10 dnsIp11 43 105.27.205.34, 443, 49767 SEACOM-ASMU Mauritius 35->43 45 181.129.167.82, 443, 49755, 49766 EPMTelecomunicacionesSAESPCO Colombia 35->45 47 6 other IPs or domains 35->47 69 Writes to foreign memory regions 35->69 71 Tries to detect virtualization through RDTSC time measurements 35->71 73 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 35->73 41 svchost.exe 35->41         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9/
Threat name:
Win32.Trojan.Cloxer
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 17:53:14 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eidiy7f3idbrjg3jjnp4uftv3fph4esqtm3punzvbqmuon6gyh4q._file
Verdict:
suspicious
Similar samples:
54f0211463fd813773ab82311eee3104c041b17a37e8c6308457294321d3587a
TrickBot
684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
ca7ad2955d59c13bf96b09b0bb59f5344cae17fba5ce9557e60273c60f98f50d
TrickBot
e41ba937549806df152a9af5e970748083a6a27ed1bd03caac9d7c32c55049cc
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob122 banker trojan
Link:
https://tria.ge/reports/210816-86cp8fzgra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
250ae10908dbb717b4967d124a355d23fa402c97ddcdbd292af91e041495c6b5
MD5 hash:
a8d04aa38695a0de13ff16f46141e9a2
SHA1 hash:
c135794f90632a27e3e83ab43ffd3ae3d7a90c42
Link:
https://www.unpac.me/results/40698729-154b-4022-bc5a-ed2200bc6cb5/
SH256 hash:
948e4fa0294f376eb4ee1528dd9ad261e02c8fc21e545d166d87f22c062ace0a
MD5 hash:
18fb8ac7679fbf67e107895de3272232
SHA1 hash:
39a316f5544656729e3ab8e1298a3820c8167e69
Link:
https://www.unpac.me/results/40698729-154b-4022-bc5a-ed2200bc6cb5/
SH256 hash:
6f49a15c911af98ee94e62b1b81600ffce5c22832ce7dcf436471debc2a2a209
MD5 hash:
047fbd38483009cb4456edb0374b6cf1
SHA1 hash:
91499129c20d028fe7dfd24878725f345d70b589
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/40698729-154b-4022-bc5a-ed2200bc6cb5/
Parent samples :
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
SH256 hash:
22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9
MD5 hash:
37e26534b70abd664cfed4961ad6ecbf
SHA1 hash:
a61cda70371db1c12965c236bb485392df957ce7
Link:
https://www.unpac.me/results/40698729-154b-4022-bc5a-ed2200bc6cb5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22068c7cbb40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1539521/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179676/

Comments