MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b70ed83db2eef5aedb7a0185ecc17345c32bb0d8c218716c71d73425d32fd03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b70ed83db2eef5aedb7a0185ecc17345c32bb0d8c218716c71d73425d32fd03
SHA3-384 hash: 7b3c4ac198231ac6871393dbd67bd8aaa19197ab6128fff9469960f1324616e028fffbffbd93309d4f62cf889a1cc973
SHA1 hash: 94029c50c64e5a4a590e290decf4d83df9425786
MD5 hash: 2b1eb009e6282801c4ec6a417e9861e5
humanhash: beryllium-georgia-two-lion
File name:counters.strike
Download: download sample
Signature TrickBot
Create hunting rule
File size:417'280 bytes
First seen:2021-02-25 17:26:34 UTC
Last seen:2021-02-25 18:47:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash cc966929d884b5380158e8949d4dff77 (1 x TrickBot)
ssdeep 6144:wYvdYEI89jK5TemZQyI3zOkP2lngpwQkDCCzUZDizofMvmFAPPfeA:ZTXK59ZQ13/inguQwJQhpO5n2A
Threatray 2 similar samples on MalwareBazaar
TLSH E694CF31FA984C26C5F91A3B18B5FFC3D43EF38C1F651653BAAC05AE4760461A298B53
Reporter p5yb34m
Tags:dll rob64 TrickBot


Avatar
p5yb34m
Source: http://sundancemotelwy.com/dummy/counters.strike

Intelligence

File Origin
# of uploads :
3
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119275/
Detection(s):
SecuriteInfo.com.generic.ml.5662.12703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/619017
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358505 Sample: counters.strike Startdate: 25/02/2021 Architecture: WINDOWS Score: 96 30 41.77.134.250 moztel-asMZ Mozambique 2->30 32 192.162.238.186 VINASTERISK-ASUA Ukraine 2->32 34 8 other IPs or domains 2->34 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 regsvr32.exe 9->16         started        signatures6 54 Writes to foreign memory regions 11->54 56 Allocates memory in foreign processes 11->56 18 wermgr.exe 11->18         started        21 wermgr.exe 11->21         started        23 iexplore.exe 2 72 14->23         started        25 WerFault.exe 23 9 16->25         started        process7 signatures8 42 Tries to detect virtualization through RDTSC time measurements 18->42 44 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 18->44 27 iexplore.exe 146 23->27         started        process9 dnsIp10 36 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49741, 49742 YAHOO-DEBDE United Kingdom 27->36 38 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49735, 49736 FASTLYUS United States 27->38 40 10 other IPs or domains 27->40
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4b70ed83db2eef5aedb7a0185ecc17345c32bb0d8c218716c71d73425d32fd03/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 16:01:18 UTC
File Type:
PE (Dll)
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnyo3a63f3xvv3nxuamf5taxgrodfoynrqqyofwhdvzuexjs7ubq._file
Verdict:
unknown
Similar samples:
5161665dbc1b26196029cfc7eb77f87d0868a714cb692c698a0da2d84265e714
TrickBot
f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob64 banker trojan
Link:
https://tria.ge/reports/210225-ymq1xqkeln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
41.77.134.250:449
45.155.173.242:443
192.162.238.186:449
142.112.79.223:449
122.2.28.70:449
154.126.176.30:449
45.230.244.20:443
182.253.107.34:443
200.52.147.93:443
123.200.26.246:449
131.255.106.152:449
177.85.133.118:449
103.225.138.94:449
142.202.191.164:443
95.210.118.90:449
36.94.62.207:443
201.20.118.122:449
180.92.238.186:449
103.130.6.244:449
202.91.41.138:449
187.20.217.129:449
Unpacked files
SH256 hash:
29cc13c36db073ba5901a0dfefae414f69d84bd66e0decb81733e54e0f19ba0a
MD5 hash:
b92f31e30735002286f15d78369b6e2e
SHA1 hash:
8a8710991df672193462863fea81c47144e7a818
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/4f611c66-527c-4886-92f1-e08e839e2e9d/
SH256 hash:
b43be2c8aebd65260f61868afdcbc54c63006302fe3e364c94e3c0b105b459dc
MD5 hash:
57e457058c8d921f5a6331b604ed53d2
SHA1 hash:
87fbe909120fb3cdaa8f7156d0eb13daaf398c18
Link:
https://www.unpac.me/results/4f611c66-527c-4886-92f1-e08e839e2e9d/
SH256 hash:
4b70ed83db2eef5aedb7a0185ecc17345c32bb0d8c218716c71d73425d32fd03
MD5 hash:
2b1eb009e6282801c4ec6a417e9861e5
SHA1 hash:
94029c50c64e5a4a590e290decf4d83df9425786
Link:
https://www.unpac.me/results/4f611c66-527c-4886-92f1-e08e839e2e9d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4b70ed83db2eef5aedb7a0185ecc17345c32bb0d8c218716c71d73425d32fd03

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119275/
  
URLhaus
https://urlhaus.abuse.ch/url/1029790/
  
URLhaus
https://urlhaus.abuse.ch/url/1029866/

Comments