MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151
SHA3-384 hash: 5adcdb7ca8a7e32f41d9c22c39adb1fa2cd8af8777bd7c5e2eeb1842f57c3ae709a8000f3909bfc241d39afd5db4a529
SHA1 hash: 3f5eb9641acca56147d97a5d585acaeec255606c
MD5 hash: f9aab568fb0b6d14c2e7167b437b952e
humanhash: autumn-sad-cardinal-virginia
File name:f9aab568fb0b6d14c2e7167b437b952e
Download: download sample
Signature TrickBot
Create hunting rule
File size:610'304 bytes
First seen:2021-12-23 17:37:02 UTC
Last seen:2021-12-23 20:03:33 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3396fd32a73a107b1ba2648267266e5c (1 x TrickBot)
ssdeep 6144:+cp5nzFSbTEunWzAE5nUmZSVv/7nSDnlvlrbd9+hmaCXkZ1d4JLiYfkpV/UQDKvS:x8TEWstKmZSVHGvlrbd9ImdXEPafkR
Threatray 4'318 similar samples on MalwareBazaar
TLSH T177D4CF3DF2FC803BD57B1B7DB9C7826962E87F118BA0A24F7B807A9D59B08859D10315
File icon (PE):PE icon
dhash icon 32f0f9e8f0cce0e8 (1 x TrickBot)
Reporter zbetcheckin
Tags:32 dll exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
893
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216007/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.31880.20960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/61c4b3c1ec6c6c14a9ed00a4/reports/be07a53e-efd2-4dd2-9efb-a477aa677477/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bab39d2-0275-40fe-88ac-b5adfed2e681
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912153
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544626 Sample: K9SSaPQ6v3 Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 33 103.36.79.3 WOWSOLUTIONS-ASWowSolutionsandSystemsPvtLtdIN India 2->33 35 189.51.118.78 VIPWayTelecomunicacoesLtdaBR Brazil 2->35 37 24 other IPs or domains 2->37 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        signatures6 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 59 Queues an APC in another process (thread injection) 11->59 61 Delayed program exit found 11->61 18 wermgr.exe 11->18         started        21 cmd.exe 11->21         started        23 rundll32.exe 14->23         started        25 wermgr.exe 16->25         started        27 cmd.exe 16->27         started        process7 signatures8 39 Tries to detect virtualization through RDTSC time measurements 18->39 41 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 18->41 43 Writes to foreign memory regions 23->43 45 Allocates memory in foreign processes 23->45 29 wermgr.exe 23->29         started        31 cmd.exe 23->31         started        process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 17:38:13 UTC
File Type:
PE (Dll)
Extracted files:
39
AV detection:
10 of 28 (35.71%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
06933c7b3bddbb3d920172216f4886e811397ef933665ff700b3539774e000d4
TrickBot
3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e
TrickBot
49e61873c2864b4a39bfb6c520ea9644d1b38088cd11a6d0f2f6ced91b793856
TrickBot
6b62e970d1c770e694aaccad7d7b874895731ed5c7c6029be9f6badc3b533332
TrickBot
8ab49e939399e4dd51e665e119b4d76c12cae36b3c72bb8aedf9c2ef73903a78
TrickBot
d423f00832f44b4195a686c691b2f20e55bd4c31145a43561f83f1ea661bfc60
TrickBot
def94d349e3c5637e40dcf603fd7c41d8807f13c0804bea48f1e098fd7629578
TrickBot
f723a66d74e36a5e249a72c8f2a4cc4a7a313ecbf83198df5d377bb52f452768
TrickBot
+ 4'308 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob144 banker trojan
Link:
https://tria.ge/reports/211223-v6694sbdb6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
Unpacked files
SH256 hash:
360684cb333d08b9c8782748e8c1590623dd60f4c75c4912bec76dc7e37ea227
MD5 hash:
e1602afc7a2400d4ae5497fdfe2dc12e
SHA1 hash:
e1a85eac8cf6508efb81636484555d3507ebc6f4
Link:
https://www.unpac.me/results/a940fa0f-ac45-4641-b2c2-f505b10bade1/
SH256 hash:
26c75b2adf54e81fa8c2aedbc773d5b5e845d9dffec9ea8de3a7ef9c2412214e
MD5 hash:
cf1ec1bfb9da5dcb0f193f7e485bd441
SHA1 hash:
1962f8f90e7a51231fcd970e572a447139529256
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a940fa0f-ac45-4641-b2c2-f505b10bade1/
Parent samples :
f5a0b5b7892adbca1bce723fd952544006cfa8f05a9888f77544416287e99a8b
4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151
d3b6ecc403a04c8df0c501d2cd369c01635620aa5eb2da01698d0d319dd1b781
SH256 hash:
de5149e32b88ad81cd3c99b1011ba29f135fe585eaf0a41e059f5e03d90197a6
MD5 hash:
c3d46b4c992744dbdfaf87885f29edcf
SHA1 hash:
16fe1d89b4c6bd067353a9b556eff12c0f9911fd
Link:
https://www.unpac.me/results/a940fa0f-ac45-4641-b2c2-f505b10bade1/
SH256 hash:
4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151
MD5 hash:
f9aab568fb0b6d14c2e7167b437b952e
SHA1 hash:
3f5eb9641acca56147d97a5d585acaeec255606c
Link:
https://www.unpac.me/results/a940fa0f-ac45-4641-b2c2-f505b10bade1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4c08a4614de3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4c08a4614de36445ea712490ef4699a1414db5449936b8ca2e801e1e8fa12151

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1914519/
Cape
Cape
https://www.capesandbox.com/analysis/216007/

Comments


Avatar
zbet commented on 2021-12-23 17:37:04 UTC

url : hxxps://coachingcorporal.cl/Readme.png