MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
SHA3-384 hash: 64a00f1affeb84e1b3954526b2c7ded825e411b8f630dfd71af5f1d4c2733bb1dc6538bd11312cea901c6c0b42c9f1ce
SHA1 hash: b976cb59c658c891073526aae2be9290756a4172
MD5 hash: d56843d37adfaaa63fee52165ccd8416
humanhash: missouri-mike-burger-johnny
File name:d56843d37adfaaa63fee52165ccd8416.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:524'288 bytes
First seen:2021-10-07 09:19:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fd98f67a63ecc847a2028c66b8388afb (8 x TrickBot)
ssdeep 6144:b3oOkxQXFDzaLtFD2aD3+AKit6lltqFpaI28VwPHK6+TDrAo0dThI9eq0NIaP:b3ExQ1DzM187qFp12iwPqvDr2VI9bZa
Threatray 4'090 similar samples on MalwareBazaar
TLSH T1DBB4DF02B3C08836D67B227A49ABD71933B9FC204F65C38726C47E5F6E326D55E26352
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:dll fat1 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195788/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.gen.14965.2038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/615ebbc5e3d213d202b9a62c/reports/005b0fa2-5290-48bc-97fd-eddf279cac52/overview
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866200
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498631 Sample: x1Y6mEs1uM.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Found malware configuration 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 3 other signatures 2->85 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 9->20         started        signatures5 22 rundll32.exe 15->22         started        73 Writes to foreign memory regions 17->73 75 Allocates memory in foreign processes 17->75 77 Queues an APC in another process (thread injection) 17->77 25 wermgr.exe 17->25         started        28 cmd.exe 17->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 91 Writes to foreign memory regions 22->91 93 Allocates memory in foreign processes 22->93 34 wermgr.exe 22->34         started        38 cmd.exe 22->38         started        67 185.56.175.122, 443, 49744, 49748 VIRTUAOPERATOR-ASPL Poland 25->67 69 105.27.205.34, 443, 49758, 49858 SEACOM-ASMU Mauritius 25->69 71 4 other IPs or domains 25->71 95 May check the online IP address of the machine 25->95 97 Tries to detect virtualization through RDTSC time measurements 25->97 99 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->99 signatures8 process9 dnsIp10 55 45.36.99.184, 443, 49745, 49751 TWC-11426-CAROLINASUS United States 34->55 57 ip.anysrc.net 34->57 59 4 other IPs or domains 34->59 87 Hijacks the control flow in another process 34->87 89 Writes to foreign memory regions 34->89 40 svchost.exe 11 34->40         started        45 svchost.exe 34->45         started        signatures11 process12 dnsIp13 61 203.109.82.172, 443, 49875, 49901 YOU-INDIA-APYOUBroadbandCableIndiaLtdIN India 40->61 63 103.201.142.30, 443, 49872, 49898 WORLD-ASWorldStarCommunicationIN India 40->63 65 24 other IPs or domains 40->65 47 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 40->47 dropped 49 C:\Users\user\AppData\...\Login Data.bak, SQLite 40->49 dropped 51 C:\Users\user\AppData\Local\...\History.bak, SQLite 40->51 dropped 53 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 40->53 dropped 101 Tries to harvest and steal browser information (history, passwords, etc) 40->101 file14 signatures15
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 09:20:15 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
TrickBot
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
TrickBot
37c129eb8bb575d7ac12fdd14b5d05edee15c1230d7b712e5b9d2533f78dc5b4
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
98190daef6fabe0513518943ffbc9abcaf4dd7c0bfd37bc996fbbe261d831b3c
TrickBot
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
TrickBot
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
TrickBot
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
TrickBot
decd474e4c808ac1a3255e1b6aecab359028bbadb6852f9ff70b33fdea648978
TrickBot
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
TrickBot
+ 4'080 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:fat1 banker suricata trojan
Link:
https://tria.ge/reports/211007-lar1wacdfj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
9c8b04423100da077bd128ce7f819064f7ed1a6c8897a792bfc1b20423ef6988
MD5 hash:
e6cf2df32bbebb0a2bddd0ad04fdfbe4
SHA1 hash:
ea316e164aeddd9832426023daf04f8a2f47f26d
Link:
https://www.unpac.me/results/7e4d3455-1732-4b78-b944-ba3534d47830/
SH256 hash:
ee60352e84e0eea543aed0f41ab70ac65cd0ac4226c42b09c0177dfa5ada2dfa
MD5 hash:
e6fc3463f7df7f7e661b352346681d60
SHA1 hash:
da11152f274bcc29ce33ec9cd6da21685f350f84
Link:
https://www.unpac.me/results/7e4d3455-1732-4b78-b944-ba3534d47830/
SH256 hash:
6a7713508a070a4ef2123bfc999fb9bf012ee5fe475a3b3adfeb99990c6a664d
MD5 hash:
30ec7187a0d5f14d5535929a274e51aa
SHA1 hash:
8040f763f4d0bf018f4a1a73965151b2dcb323f7
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e4d3455-1732-4b78-b944-ba3534d47830/
Parent samples :
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
37c129eb8bb575d7ac12fdd14b5d05edee15c1230d7b712e5b9d2533f78dc5b4
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
61d1417ece7c1bbd2fd4ca685fc92c5239fa8ced521b90cd92cebc983d4fcc5e
dbd1cfed3d0b57ac4b4affbcd942287617d1f7bdd322ba2464d22020e4e29200
SH256 hash:
3c7991fab579f08e337fe14fab42616ab1df9e1899db4508b50671b941f265e9
MD5 hash:
f3332f3fc1dd8fb7dc499cb566afd81b
SHA1 hash:
3c57fab42973d602992deff26060aad835d8ad87
Link:
https://www.unpac.me/results/7e4d3455-1732-4b78-b944-ba3534d47830/
SH256 hash:
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
MD5 hash:
d56843d37adfaaa63fee52165ccd8416
SHA1 hash:
b976cb59c658c891073526aae2be9290756a4172
Link:
https://www.unpac.me/results/7e4d3455-1732-4b78-b944-ba3534d47830/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4cb721ef0fd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/195788/
  
URLhaus
https://urlhaus.abuse.ch/url/1659212/
  
Delivery method
Distributed via web download

Comments