MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e31457cdda7e7efb0798e7b06c4c23251f3a5416bb4355bc2564e99c7d401b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e31457cdda7e7efb0798e7b06c4c23251f3a5416bb4355bc2564e99c7d401b0
SHA3-384 hash: 8d0e5f8b9d4b69b01e2ee638dd825c0a77bd1d1d720245b5a33ede396d4f575e42660ef7162a5e21891a20cf5b663dab
SHA1 hash: bff7507d7431bb52e902c22e558a090190a61e85
MD5 hash: 85632f6e4ce7f56a522d0796a6faa327
humanhash: fillet-autumn-winter-triple
File name:triage_dropped_file
Download: download sample
Signature TrickBot
Create hunting rule
File size:413'311 bytes
First seen:2021-07-01 13:53:48 UTC
Last seen:2021-07-01 14:57:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9c7729e7e6125436737710b1ba737d7e (4 x TrickBot)
ssdeep 6144:54Gp1gZmFlZKmP4jrc9/5fS9XJqLSYmHiNKhV5C:JrgZm7ZKmP4jrGg9XKg6Ko
Threatray 4 similar samples on MalwareBazaar
TLSH 9D94E1226641C871D18B11399A7297755EAEBC129BB065CB2FE03EBF6E247C1CF35306
Reporter malwarelabnet
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169170/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.16209.30574.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41eb940c-93a1-47b4-a99a-1426a2d8d087
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/810589
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443000 Sample: triage_dropped_file.dll Startdate: 01/07/2021 Architecture: WINDOWS Score: 72 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 cmd.exe 1 7->12         started        14 iexplore.exe 2 83 7->14         started        16 3 other processes 7->16 signatures5 52 Writes to foreign memory regions 9->52 54 Allocates memory in foreign processes 9->54 18 wermgr.exe 9->18         started        22 rundll32.exe 12->22         started        24 iexplore.exe 5 149 14->24         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 16->28         started        process6 dnsIp7 30 ip.anysrc.net 116.203.16.95, 49765, 80 HETZNER-ASDE Germany 18->30 32 186.225.119.170, 443, 49763 America-NETLtdaBR Brazil 18->32 38 5 other IPs or domains 18->38 46 Tries to detect virtualization through RDTSC time measurements 18->46 48 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 18->48 50 Delayed program exit found 22->50 34 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49746, 49747 YAHOO-DEBDE United Kingdom 24->34 36 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49740, 49741 FASTLYUS United States 24->36 40 10 other IPs or domains 24->40 signatures8
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e31457cdda7e7efb0798e7b06c4c23251f3a5416bb4355bc2564e99c7d401b0/
Verdict:
unknown
Similar samples:
54f6fe3e63891e2c0b925cf17385c6df56d824cee163111e93fef76c6476a535
TrickBot
5f53adb34adbcb6eeec29d48e9d80a401d1476eff2e826cb2c7ac02d8d7e2785
TrickBot
7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
TrickBot
e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:zev1 banker trojan
Link:
https://tria.ge/reports/210701-qyvnt81hhx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
Unpacked files
SH256 hash:
3e31457cdda7e7efb0798e7b06c4c23251f3a5416bb4355bc2564e99c7d401b0
MD5 hash:
85632f6e4ce7f56a522d0796a6faa327
SHA1 hash:
bff7507d7431bb52e902c22e558a090190a61e85
Link:
https://www.unpac.me/results/e2cd68be-283d-45bd-ac7c-e2e079358dda/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e31457cdda7e7efb0798e7b06c4c23251f3a5416bb4355bc2564e99c7d401b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169170/

Comments