MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24
SHA3-384 hash: 7d966a86199136946ddfc04483b60ed93bf9eee38f4e657b5fcb0eeb8221472ef610650a6a39709e969fe4649ce963c6
SHA1 hash: 263e8cd1d36f65170460d9b1de33f464bdc20c91
MD5 hash: a0854a9c935ef23bb5d39af676567c22
humanhash: triple-delta-november-september
File name:a0854a9c935ef23bb5d39af676567c22.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:305'664 bytes
First seen:2021-03-20 08:24:47 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 6eaded21fcdb132a5ae4e0f258cad60f (2 x TrickBot)
ssdeep 6144:iSeXBXE6K+qCobYHeOU+W5OizwNGjFBZwt4wXoJalaH:PexXE6K+q7b+e0rN+FB8oUl
Threatray 1 similar samples on MalwareBazaar
TLSH 2D54E08172448171DCAA2B305C779F284A2FBE51BEF0904F9F6A316DAF733C26521B56
Reporter abuse_ch
Tags:a156 dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125775/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21791.7393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1fb1b44-ed60-4c1b-911c-91086bda8a5a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/646818
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372379 Sample: qBWNhVCXPb.dll Startdate: 20/03/2021 Architecture: WINDOWS Score: 52 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 1 75 10->16         started        process6 18 iexplore.exe 158 16->18         started        dnsIp7 21 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49715, 49716 FASTLYUS United States 18->21 23 geolocation.onetrust.com 104.20.184.68, 443, 49703, 49704 CLOUDFLARENETUS United States 18->23 25 8 other IPs or domains 18->25
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 21:34:22 UTC
File Type:
PE (Dll)
Extracted files:
15
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jozrxqvufithruri553fbub45v6onfp53a5cblzpxwqvfnj2bmsa._file
Verdict:
unknown
Similar samples:
9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon156 banker trojan
Link:
https://tria.ge/reports/210320-q53q3gbll6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
68.201.55.46:443
71.42.188.85:443
50.197.243.125:443
70.119.149.64:443
71.66.92.190:443
137.27.148.14:443
156.19.152.218:443
73.103.36.158:443
67.212.241.178:443
65.158.28.70:443
96.88.45.25:443
50.84.233.214:443
73.6.0.166:449
50.75.131.6:443
72.128.158.51:443
104.4.84.130:443
108.161.11.44:443
75.118.158.174:443
67.48.50.58:443
47.51.21.82:443
72.131.216.28:443
184.188.210.34:449
71.40.62.107:443
98.6.49.38:443
67.48.54.37:443
24.227.152.42:443
47.37.90.57:443
70.118.50.62:443
Unpacked files
SH256 hash:
39c45f33dfb6ea523a860bfc300750fcac17c349e9c1a6652ab7dc0016ca4cce
MD5 hash:
1aff7a26ea95c5b9cd4204efbb7ee413
SHA1 hash:
13d9606cc845fb807753bb8eb978d52006782f89
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8ba1c82a-c8f8-4e0d-a03f-8ac471482d42/
Parent samples :
9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110
4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24
SH256 hash:
4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24
MD5 hash:
a0854a9c935ef23bb5d39af676567c22
SHA1 hash:
263e8cd1d36f65170460d9b1de33f464bdc20c91
Link:
https://www.unpac.me/results/8ba1c82a-c8f8-4e0d-a03f-8ac471482d42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/125775/
  
URLhaus
https://urlhaus.abuse.ch/url/1077753/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1077850/
  
URLhaus
https://urlhaus.abuse.ch/url/1077999/
  
URLhaus
https://urlhaus.abuse.ch/url/1078006/
  
URLhaus
https://urlhaus.abuse.ch/url/1078070/

Comments