MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb
SHA3-384 hash: 735476f806efc62920d528637134638ed74c32bd0cea2f21679db5e08d82d6392abba9fedae374c5f92055e16a75b79c
SHA1 hash: 5dcdc624d060a0042f69015c7950d2ae9d96544b
MD5 hash: c78794773a20cbfee3e12d8c60251599
humanhash: sink-washington-nitrogen-magnesium
File name:0.php
Download: download sample
Signature TrickBot
Create hunting rule
File size:794'624 bytes
First seen:2021-08-05 17:53:59 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c58acd1a7324d600ff8070fca15fb4ff (1 x TrickBot)
ssdeep 12288:hDDAkNIAa/wqt/Lzh5qRUPH4WM8nYryvTHMPDsKREXBbW:RPKt/RN4fpuHMPYKRUBbW
Threatray 927 similar samples on MalwareBazaar
TLSH T172F48B3371958073DC6A2574F92D277872E9AD604B7B8AC7D3C32A9E28F56C1C83560E
dhash icon 71b519d4c7576333 (2 x TrickBot)
Reporter abuse_ch
Tags:dll sat3 TrickBot


Avatar
abuse_ch
TrickBot payload URL:
http://162.248.227.43/a.php

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176769/
Detection(s):
SecuriteInfo.com.generic.ml.23172.15331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Changing a file
Launching a process
Creating a file
Sending a UDP request
Connection attempt
Sending a custom TCP request
DNS request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89820445-f627-4d93-bbe8-1785cc9eb725
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827598
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460028 Sample: 0.php Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Found malware configuration 2->74 76 Yara detected Trickbot 2->76 78 3 other signatures 2->78 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        12 regsvr32.exe 2->12         started        process3 process4 14 rundll32.exe 8->14         started        17 regsvr32.exe 8->17         started        19 iexplore.exe 1 75 8->19         started        21 2 other processes 8->21 signatures5 90 Writes to foreign memory regions 14->90 92 Allocates memory in foreign processes 14->92 23 wermgr.exe 14->23         started        27 cmd.exe 14->27         started        29 wermgr.exe 2 17->29         started        31 cmd.exe 17->31         started        33 iexplore.exe 2 153 19->33         started        35 rundll32.exe 21->35         started        process6 dnsIp7 66 6 other IPs or domains 23->66 82 Hijacks the control flow in another process 23->82 84 Writes to foreign memory regions 23->84 37 svchost.exe 23->37         started        58 5.152.175.57, 443, 49756 SKYLOGIC-ASIT Spain 29->58 60 46.99.175.217, 443, 49748, 49750 IPKO-ASAL Albania 29->60 68 6 other IPs or domains 29->68 86 Tries to detect virtualization through RDTSC time measurements 29->86 88 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 29->88 42 svchost.exe 29->42         started        62 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49743, 49744 YAHOO-DEBDE United Kingdom 33->62 64 dart.l.doubleclick.net 142.250.186.102, 443, 49731, 49732 GOOGLEUS United States 33->64 70 15 other IPs or domains 33->70 44 cmd.exe 35->44         started        signatures8 process9 dnsIp10 54 45.230.176.157, 443, 49800 NetMontesTelecomunicacoeseServicosLtdaBR Brazil 37->54 56 63.147.234.198, 443, 49801 DC7US United States 37->56 46 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 37->46 dropped 48 C:\Users\user\AppData\...\Login Data.bak, SQLite 37->48 dropped 50 C:\Users\user\AppData\Local\...\History.bak, SQLite 37->50 dropped 52 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 37->52 dropped 80 Tries to harvest and steal browser information (history, passwords, etc) 37->80 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gz6ntrhzq7ntlrcvheywhcfceeik3733buhfd5r45nadjiadpp5q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
TrickBot
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
TrickBot
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
TrickBot
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
TrickBot
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
+ 917 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat3 banker trojan
Link:
https://tria.ge/reports/210805-nw9nzgvcwe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
f7937d8e4785a28d47f5c5c98b4384222c0b998e5c56cbd1cd70306a9b5be8ee
MD5 hash:
c8c3980bb7f5717ad287ed50377efc5d
SHA1 hash:
95753c6816d48528c7cbe2b61d0b1e97753a7268
Link:
https://www.unpac.me/results/33bd5412-f86e-4c9f-8bb5-0f77f0d74add/
SH256 hash:
a73f267529eedd1994ad6cabe4466addbe1fcbccf0f44dafdfbcaad6b5f7ef8a
MD5 hash:
eb7567696f99ab8d8eb1c36676386622
SHA1 hash:
92f9fa10b01b09279423f555fbfddf4a6139d217
Link:
https://www.unpac.me/results/33bd5412-f86e-4c9f-8bb5-0f77f0d74add/
SH256 hash:
254326a0b4021fc40ab45f42fad5a71a2ffba68612f99d156a1719104c4ee2ad
MD5 hash:
342da6ca762f0eeefedf837251cf2c08
SHA1 hash:
61dd151328c804f26a5c5e21823b73b7f1ea1341
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/33bd5412-f86e-4c9f-8bb5-0f77f0d74add/
SH256 hash:
59e7cdb6235f71a07dfcfa483f93dcc2027e58974a1a957dca7dc82bbda66d0f
MD5 hash:
dda22d2a5102fac1278bc2263580d7b0
SHA1 hash:
4e9db3aca0dd431964877ec4c33514ea310ce087
Link:
https://www.unpac.me/results/33bd5412-f86e-4c9f-8bb5-0f77f0d74add/
SH256 hash:
367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb
MD5 hash:
c78794773a20cbfee3e12d8c60251599
SHA1 hash:
5dcdc624d060a0042f69015c7950d2ae9d96544b
Link:
https://www.unpac.me/results/33bd5412-f86e-4c9f-8bb5-0f77f0d74add/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/367cd9c4f987/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xlsm 90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e

TrickBot

DLL dll 367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1508993/
  
Dropped by
SHA256 90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e
  
Dropped by
MD5 d27ac168b5642518471c6e94c894d9c1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176769/

Comments