MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
SHA3-384 hash: 936fde68e78b2c1e1f78839237c87492ade4976bd68251177028af76dc5f9ea294c42264118b2dfac36863d4770c009e
SHA1 hash: 8a0056ed0f37d71433390a5bc5c622f5aefd3c14
MD5 hash: c767d0720a6e988ecc30eaadef5c0ebe
humanhash: arizona-fish-texas-enemy
File name:c767d0720a6e988ecc30eaadef5c0ebe
Download: download sample
Signature TrickBot
Create hunting rule
File size:397'355 bytes
First seen:2021-08-19 09:02:39 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 89aafe32fea223936c5c233bf06df6d3 (4 x TrickBot)
ssdeep 6144:vW3hPpvF9A3hAfKKC64zROB6NBbTN+qGfhI6zSRZKhoRli2fFzs:vWR9AhAfKbRO6NBbTMp/STKhoHi2fFzs
Threatray 1'531 similar samples on MalwareBazaar
TLSH T19584E062F1D600B6CDBB5AB4082F2AB2CEB52D485BE44BCF2F94EA8F10375D19532355
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 dll exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180618/
Detection(s):
SecuriteInfo.com.Artemis32F0B80EB20E.6175.9223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/208c0d0d-6e0a-446c-9447-75d33d9bf673
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835662
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468103 Sample: dlnuSwuhN0 Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 10->19         started        signatures5 74 Writes to foreign memory regions 12->74 76 Allocates memory in foreign processes 12->76 78 Delayed program exit found 12->78 21 wermgr.exe 3 12->21         started        26 cmd.exe 12->26         started        28 rundll32.exe 15->28         started        30 wermgr.exe 17->30         started        32 cmd.exe 17->32         started        process6 dnsIp7 48 36.66.188.251, 443, 49728 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 21->48 50 128.201.76.252, 443, 49718, 49727 PedroFArrudaJuniorMEBR Brazil 21->50 52 8 other IPs or domains 21->52 40 C:\Users\user\AppData\...\cedlnuSwuhN0ao.dmo, PE32 21->40 dropped 64 May check the online IP address of the machine 21->64 66 Writes to foreign memory regions 21->66 68 Tries to detect virtualization through RDTSC time measurements 21->68 70 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 21->70 72 Allocates memory in foreign processes 28->72 34 wermgr.exe 28->34         started        38 cmd.exe 28->38         started        file8 signatures9 process10 dnsIp11 42 65.152.201.203, 443 CENTURYLINK-US-LEGACY-QWESTUS United States 34->42 44 182.253.210.130, 443, 49734 BIZNET-AS-APBIZNETNETWORKSID Indonesia 34->44 46 9 other IPs or domains 34->46 62 Writes to foreign memory regions 34->62 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 09:03:05 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
145922b0a4d90db4438ca924535a6f058472744a29b3a4f2875846a84bd41b99
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
+ 1'521 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob122 banker trojan
Link:
https://tria.ge/reports/210819-fchnaltk4e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
2b1486851660e075c92aa7d897d7772f09f4a28f00493af4e16d9539dd03f2d5
MD5 hash:
08a3e3e5f6ffbd21e1c997d1680329a2
SHA1 hash:
c7934cf033056c2bb41b8c632d1d09850445923f
Link:
https://www.unpac.me/results/f55bb1fc-bca6-4c32-9cde-c3b9437801f5/
SH256 hash:
e18e981ed0ce0fbae5a9e779dc079912c76579f2d263b06a2ad0ae2aa9650371
MD5 hash:
1376d8eae859c63397f2b893a8aa2f41
SHA1 hash:
c528ec9eec33311caa802f0c8c348f5455f942fa
Link:
https://www.unpac.me/results/f55bb1fc-bca6-4c32-9cde-c3b9437801f5/
SH256 hash:
d252d3b6a54c92fa72aca6b1f6ab8f496bf3cf8fd26b896119833049ea838a04
MD5 hash:
1247b0034cbbbe01806723a4c7e1049c
SHA1 hash:
67dd211e1fc07c6f6237919981c4e9567d35bc05
Link:
https://www.unpac.me/results/f55bb1fc-bca6-4c32-9cde-c3b9437801f5/
SH256 hash:
607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2
MD5 hash:
b3de5e4b04465abeff5029931234f2b4
SHA1 hash:
341533cf70a4f74f3bf9313ba9570d7930bb2f9b
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f55bb1fc-bca6-4c32-9cde-c3b9437801f5/
Parent samples :
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
9c8e26bdf89634254162a5529bd2c8c3bc4c2215be3d7cb39a47fcd0327c045d
SH256 hash:
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
MD5 hash:
c767d0720a6e988ecc30eaadef5c0ebe
SHA1 hash:
8a0056ed0f37d71433390a5bc5c622f5aefd3c14
Link:
https://www.unpac.me/results/f55bb1fc-bca6-4c32-9cde-c3b9437801f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180618/

Comments


Avatar
zbet commented on 2021-08-19 09:02:40 UTC

url : hxxp://91.92.109.16/images/redtank.png