MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55
SHA3-384 hash: 1a64599832725699ababebb53ca0d0b1b6f16afa833443a5eadc0716c9e2563887c62f672d7d2bcada8664363ca81156
SHA1 hash: 649f04d70f41fc297259d968f1fd3560d0acf003
MD5 hash: 2bbea30e8aa273b0386a0de617f8988c
humanhash: avocado-west-aspen-kilo
File name:qLpOgGg.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:315'392 bytes
First seen:2020-10-20 20:35:25 UTC
Last seen:2020-10-25 21:16:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 99120bf2197688bcbf47b8c5220c8876 (1 x TrickBot)
ssdeep 6144:P8ck0gRIHMAyIde/skq7b2gBB/xkLqLQ66BkoE+faIIFg:E5OHWIde/rq7i8boVFnf+
Threatray 574 similar samples on MalwareBazaar
TLSH 08640202F5C2C4BAD88A463514CAAB6F677DE4204ED49DC34FA10B8D5EB67D1AD3630B
Reporter ffforward
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73684/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/498839
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301385 Sample: qLpOgGg.dll Startdate: 20/10/2020 Architecture: WINDOWS Score: 56 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Multi AV Scanner detection for submitted file 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 2 8->12         started        process5 14 iexplore.exe 2 84 10->14         started        16 WerFault.exe 23 9 12->16         started        process6 18 iexplore.exe 5 99 14->18         started        dnsIp7 21 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49743, 49744 FASTLYUS United States 18->21 23 www.msn.com 18->23 25 8 other IPs or domains 18->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55/
Threat name:
Win32.Trojan.EmotetAC
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 20:36:20 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=er3fkc6thtmdj6r2het6wmg6fglcdbypkc27ajsukpiqy5gwlrkq._file
Verdict:
malicious
Similar samples:
03ca6728b986793c50078f548f1a9110d43a3f7aa08bc167fd17757156a1e744
TrickBot
05b662e6e0ee03a3e2b87b14fcda6e28f8e048b62f5baeb698068b85d83b1181
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
TrickBot
5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998
TrickBot
6ae3a03a68a4a6ce72eddae2943476e1e43938758ab1123168e76dff0aebcb31
TrickBot
7974d6324dbba7811d9a59dd5784751536a35689a50609e2739ba3370c70aa43
TrickBot
7eb79859f61d8c17c2311867019dca95098df7f55c0ef00580f1cf7fa904a99f
TrickBot
7fee0f3adb6bb5a3ed22ad960709a87893e2512d099f6c8c39946097d9a4122b
TrickBot
fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4
TrickBot
+ 564 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/201020-51ydywbpr2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
51.89.163.40:443
89.223.126.186:443
45.67.231.68:443
148.251.185.165:443
194.87.110.144:443
213.32.84.27:443
185.234.72.35:443
45.89.125.148:443
195.123.240.104:443
185.99.2.243:443
5.182.211.223:443
195.123.240.113:443
85.204.116.173:443
5.152.210.188:443
103.36.48.103:449
36.94.33.102:449
36.91.87.227:449
177.190.69.162:449
103.76.169.213:449
179.97.246.23:449
200.24.67.161:449
181.143.186.42:449
190.99.97.42:449
179.127.88.41:449
117.252.214.138:449
117.222.63.145:449
45.224.213.234:449
45.237.241.97:449
125.165.20.104:449
Unpacked files
SH256 hash:
2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55
MD5 hash:
2bbea30e8aa273b0386a0de617f8988c
SHA1 hash:
649f04d70f41fc297259d968f1fd3560d0acf003
Link:
https://www.unpac.me/results/ca20b86d-93de-4103-a2a9-30baad1a1671/
SH256 hash:
59ef12514dd246145745d7d0f3104ca88b72d373746b07078c38ec3e7b031373
MD5 hash:
f7cea8fc3c63dfd2646969d56a040307
SHA1 hash:
6df9f2d6d1d03a4b2cbcdaf5345dbcf080900d78
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/ca20b86d-93de-4103-a2a9-30baad1a1671/
SH256 hash:
f84494544bc408dc53fb8a122d8b8519fb8f025b47871598fe743424683bb9fa
MD5 hash:
87c3bd7b3e4978f5eb29fd4fb9306dae
SHA1 hash:
784c31fbf76d240e736e7792ddd5f102e31e0232
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/ca20b86d-93de-4103-a2a9-30baad1a1671/
SH256 hash:
f94fdfb0a47d547d55869b002be7fa45eeca7691d522a7f7b0a089fe6356a97e
MD5 hash:
09fcfe5122ac740eeb5fdd81173b18c0
SHA1 hash:
d1e3f5a9d1dd43da2f462d67fef2809ab5a6d368
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ca20b86d-93de-4103-a2a9-30baad1a1671/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

TrickBot

Excel file xls 54ff783411c3116b9ef2812afaf65294d1046252262698dd68f88f1a47c4f2fc

TrickBot

DLL dll 2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55

(this sample)

  
Dropped by
SHA256 54ff783411c3116b9ef2812afaf65294d1046252262698dd68f88f1a47c4f2fc
Cape
Cape
https://www.capesandbox.com/analysis/73684/

Comments