MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
SHA3-384 hash: 0e25c3e8eb2e9257f76d2ba5f7bc1077f31a8957e2bf887498fd5692544a6981b8f76138fa95d34c65ce4ca8db3e9634
SHA1 hash: 78fe1f1f5547865f1cac31e36da5e970bbf05268
MD5 hash: cd424ccdabd6cfac66395d687b41db6a
humanhash: one-papa-robert-comet
File name:SecuriteInfo.com.Variant.Mikey.116755.11070.551
Download: download sample
Signature TrickBot
Create hunting rule
File size:417'280 bytes
First seen:2020-11-16 22:42:53 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f4f51484e7e7876cfc3cad7263b0656a (1 x TrickBot)
ssdeep 12288:kfApFDevJhm6ussaV+xK/7HINrChkH4rq/:oqOhlnErCaYrq
Threatray 2'950 similar samples on MalwareBazaar
TLSH E794D0577481C033E17E1A384930DA71072FBD23EE60DAAB6754387B6E706C19E35A7A
Reporter SecuriteInfoCom
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Mikey.116755.11070.551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Connection attempt
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/538575
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318383 Sample: SecuriteInfo.com.Variant.Mi... Startdate: 17/11/2020 Architecture: WINDOWS Score: 72 29 Multi AV Scanner detection for submitted file 2->29 31 Machine Learning detection for sample 2->31 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 17 8->10         started        13 cmd.exe 1 8->13         started        signatures5 33 Writes to foreign memory regions 10->33 35 Allocates memory in foreign processes 10->35 37 Delayed program exit found 10->37 15 wermgr.exe 10->15         started        18 iexplore.exe 1 74 13->18         started        process6 signatures7 39 Tries to detect virtualization through RDTSC time measurements 15->39 41 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 15->41 20 iexplore.exe 160 18->20         started        process8 dnsIp9 23 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49744, 49745 FASTLYUS United States 20->23 25 www.msn.com 20->25 27 7 other IPs or domains 20->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 09:42:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05b662e6e0ee03a3e2b87b14fcda6e28f8e048b62f5baeb698068b85d83b1181
TrickBot
06e399b781a4c5a13d67764d76189854beb3699409a5c5809eede651ba0f7435
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
3e19ed4f33254b7401b94a47e9a01a84990d22f76b6a31781d594d5c283adac9
TrickBot
6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c
TrickBot
7b3850e39e8474d1f218df0d2ba21a3315759ebed9b40957f6336d313103ffb6
TrickBot
7eb79859f61d8c17c2311867019dca95098df7f55c0ef00580f1cf7fa904a99f
TrickBot
7fee0f3adb6bb5a3ed22ad960709a87893e2512d099f6c8c39946097d9a4122b
TrickBot
bea4a28914661d6b96f19150a9231d4718a4566ac737c2703c146dd04cf594b9
TrickBot
e8b03d2e2f16d44d8ce2272bb7f19c80c3006215b00624c79c204c70f54d1d83
TrickBot
+ 2'940 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tar3 banker trojan
Link:
https://tria.ge/reports/201116-gyrjyzcnzs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
Unpacked files
SH256 hash:
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
MD5 hash:
cd424ccdabd6cfac66395d687b41db6a
SHA1 hash:
78fe1f1f5547865f1cac31e36da5e970bbf05268
Link:
https://www.unpac.me/results/41370a66-8ce8-44df-860c-a417de8ec383/
SH256 hash:
8d6a831e48162f7f7198d19689e216976b8d3deb31a88962fc6e9eaf99718a13
MD5 hash:
8ebabc7eb1c301952dcb484ae47f667e
SHA1 hash:
639d9df718cedaeef34bbf902d776ca62fb0a89f
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/41370a66-8ce8-44df-860c-a417de8ec383/
SH256 hash:
7794cafe1d9b2ad7dde776465d116ae524d499f55d65a87c247789c1678d17a7
MD5 hash:
899ffe43a681cfc068b16d43f77228fe
SHA1 hash:
e10d41714c1525537ec791956e6c0774d0aa6a9e
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/41370a66-8ce8-44df-860c-a417de8ec383/
SH256 hash:
421585e97eb7dbfcc609cc33d5b90c1cf61a12594ba014f1a048a0abf3197b16
MD5 hash:
07cc11b1cbbaa5119431c735b721495e
SHA1 hash:
f1fbda64c08e54885e141ef4ac22f69226cb7b73
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/41370a66-8ce8-44df-860c-a417de8ec383/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/824232/
  
Delivery method
Distributed via web download

Comments