MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
SHA3-384 hash: 7d04652bb4e2b6134b50f942071f3139ab25262e8db5865a8ce0314417c5d57c5d95ac4def16787c04f94d43fa610913
SHA1 hash: 4d497f28729fdd9ecf77a988c21b8bf14fb00bf1
MD5 hash: 9e9f6820918e25457661ad5372bfc981
humanhash: butter-cup-nitrogen-sodium
File name:9e9f6820918e25457661ad5372bfc981.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:524'288 bytes
First seen:2021-10-07 09:22:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fd98f67a63ecc847a2028c66b8388afb (8 x TrickBot)
ssdeep 6144:b3oOkxQXFDzaLtFD2aD3tAKit6lltqFpaI28VwPHK6+TDrAo0dThI9eq0NIaP:b3ExQ1DzM1b7qFp12iwPqvDr2VI9bZa
Threatray 4'090 similar samples on MalwareBazaar
TLSH T1A8B4DF02B3C08836D67B227A49ABD71933B9FC204F65C38726C47E5F6E326D55E26352
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195790/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.gen.14965.2038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/615ebd2cb95458900cddfb3c/reports/11d1569f-865f-49b3-b47a-2d6aae4db799/overview
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866212
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498640 Sample: DTtJ8cMoFj.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 3 other signatures 2->74 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        signatures5 86 Writes to foreign memory regions 12->86 88 Allocates memory in foreign processes 12->88 90 Queues an APC in another process (thread injection) 12->90 19 wermgr.exe 12->19         started        23 cmd.exe 12->23         started        25 rundll32.exe 15->25         started        27 wermgr.exe 17->27         started        29 cmd.exe 17->29         started        process6 dnsIp7 50 43.252.158.104, 443, 49763, 49866 GMEDIA-AS-IDPTMediaSaranaDataID Indonesia 19->50 52 181.129.167.82, 443, 49751, 49753 EPMTelecomunicacionesSAESPCO Colombia 19->52 54 4 other IPs or domains 19->54 76 Hijacks the control flow in another process 19->76 78 May check the online IP address of the machine 19->78 80 Writes to foreign memory regions 19->80 84 2 other signatures 19->84 31 svchost.exe 11 19->31         started        36 svchost.exe 19->36         started        82 Allocates memory in foreign processes 25->82 38 wermgr.exe 25->38         started        40 cmd.exe 25->40         started        signatures8 process9 dnsIp10 56 203.109.82.172, 443, 49878, 49904 YOU-INDIA-APYOUBroadbandCableIndiaLtdIN India 31->56 58 103.201.142.30, 443, 49875, 49901 WORLD-ASWorldStarCommunicationIN India 31->58 64 24 other IPs or domains 31->64 42 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 31->42 dropped 44 C:\Users\user\AppData\...\Login Data.bak, SQLite 31->44 dropped 46 C:\Users\user\AppData\Local\...\History.bak, SQLite 31->46 dropped 48 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 31->48 dropped 66 Tries to harvest and steal browser information (history, passwords, etc) 31->66 60 46.99.175.149, 443, 49750, 49861 IPKO-ASAL Albania 38->60 62 192.168.2.1 unknown unknown 38->62 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 09:22:14 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
TrickBot
37c129eb8bb575d7ac12fdd14b5d05edee15c1230d7b712e5b9d2533f78dc5b4
TrickBot
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
98190daef6fabe0513518943ffbc9abcaf4dd7c0bfd37bc996fbbe261d831b3c
TrickBot
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
TrickBot
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
TrickBot
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
TrickBot
decd474e4c808ac1a3255e1b6aecab359028bbadb6852f9ff70b33fdea648978
TrickBot
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
TrickBot
+ 4'080 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:fat1 banker trojan
Link:
https://tria.ge/reports/211007-lcgmxscbf4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
9c8b04423100da077bd128ce7f819064f7ed1a6c8897a792bfc1b20423ef6988
MD5 hash:
e6cf2df32bbebb0a2bddd0ad04fdfbe4
SHA1 hash:
ea316e164aeddd9832426023daf04f8a2f47f26d
Link:
https://www.unpac.me/results/9dc0ef01-66fc-4b24-a52f-085fc5ebd80d/
SH256 hash:
ee60352e84e0eea543aed0f41ab70ac65cd0ac4226c42b09c0177dfa5ada2dfa
MD5 hash:
e6fc3463f7df7f7e661b352346681d60
SHA1 hash:
da11152f274bcc29ce33ec9cd6da21685f350f84
Link:
https://www.unpac.me/results/9dc0ef01-66fc-4b24-a52f-085fc5ebd80d/
SH256 hash:
6a7713508a070a4ef2123bfc999fb9bf012ee5fe475a3b3adfeb99990c6a664d
MD5 hash:
30ec7187a0d5f14d5535929a274e51aa
SHA1 hash:
8040f763f4d0bf018f4a1a73965151b2dcb323f7
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9dc0ef01-66fc-4b24-a52f-085fc5ebd80d/
Parent samples :
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
37c129eb8bb575d7ac12fdd14b5d05edee15c1230d7b712e5b9d2533f78dc5b4
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
61d1417ece7c1bbd2fd4ca685fc92c5239fa8ced521b90cd92cebc983d4fcc5e
dbd1cfed3d0b57ac4b4affbcd942287617d1f7bdd322ba2464d22020e4e29200
SH256 hash:
3c7991fab579f08e337fe14fab42616ab1df9e1899db4508b50671b941f265e9
MD5 hash:
f3332f3fc1dd8fb7dc499cb566afd81b
SHA1 hash:
3c57fab42973d602992deff26060aad835d8ad87
Link:
https://www.unpac.me/results/9dc0ef01-66fc-4b24-a52f-085fc5ebd80d/
SH256 hash:
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
MD5 hash:
9e9f6820918e25457661ad5372bfc981
SHA1 hash:
4d497f28729fdd9ecf77a988c21b8bf14fb00bf1
Link:
https://www.unpac.me/results/9dc0ef01-66fc-4b24-a52f-085fc5ebd80d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/264d7d0ebc40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1659212/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195790/

Comments