MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
SHA3-384 hash: 32c605feecaf6f1ec1df1451ddb7770ad2da85f36718be68ed5b984ec4627f42de89aa5d927c8cb0392c7d0aba49e506
SHA1 hash: 74b21db750ba635fef711d67028cec8946ecb506
MD5 hash: 5c4f11f182d70c0e379cbd8e74d3a23a
humanhash: angel-lithium-fish-lactose
File name:5c4f11f182d70c0e379cbd8e74d3a23a.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:723'456 bytes
First seen:2021-10-22 10:04:57 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0287a7604016003972a047b182e6c22a (4 x TrickBot)
ssdeep 12288:7NP2qgMhn9VbKac3cM15xIKR5pduDkgcKOuCEUz+ovYJXA8ZRA5cXO/+uBY2F0cC:RPp2abM15xIxD4KXJg/vYRbKDBhF1TSz
TLSH T15AF4AFD59A5296D7FA46CC3AC30065A7C4D71F329A61F0F5EC0B2213BDB39A28476B13
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199345/
Detection(s):
SecuriteInfo.com.ML.PE-A.20796.15946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/61728cd19a5a1e91c5ceb0d8/reports/1f2804c0-d717-4f43-a692-a8b404c53f1a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8afe0b6-1751-4473-99a0-115cf2e20d2d
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875166
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507597 Sample: Qen6XuvBwQ.dll Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Trickbot 2->46 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 cmd.exe 1 8->15         started        signatures5 48 Writes to foreign memory regions 10->48 50 Allocates memory in foreign processes 10->50 52 Found potential dummy code loops (likely to delay analysis) 10->52 54 Delayed program exit found 10->54 17 wermgr.exe 10->17         started        20 cmd.exe 10->20         started        56 Hijacks the control flow in another process 13->56 22 wermgr.exe 13->22         started        24 cmd.exe 13->24         started        26 rundll32.exe 15->26         started        process6 signatures7 32 Tries to detect virtualization through RDTSC time measurements 17->32 34 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 17->34 36 Writes to foreign memory regions 26->36 38 Allocates memory in foreign processes 26->38 28 wermgr.exe 26->28         started        30 cmd.exe 26->30         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520/
Threat name:
Win32.Trojan.KryptikAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 01:44:00 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6ankgufnwwuan5c3yrnc7whpi7wvb3izhjrf5ej7bm7tt2pauqa._file
Verdict:
malicious
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob136 banker trojan
Link:
https://tria.ge/reports/211022-l4hdjabdh7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
fe4113b32c3d774ac5210a04b6e0e339a93770edb97bfd004e1f5448ccba851d
MD5 hash:
4be9f19c34ee551f4c889f1c2f0fd469
SHA1 hash:
992d028dedbec8de291552613eccc39b96dd5d17
Link:
https://www.unpac.me/results/015252d4-e8c7-473a-9ad1-21adcd4268fd/
SH256 hash:
b2c4e3e3eacf501232242e9a340dfe29776ae79685e5cb7bdb25dcb168c793c3
MD5 hash:
5003d5e55f514b8f18d0c3b5d2942e2c
SHA1 hash:
5a197cabd54e8fdc40ee1bbce711ed3879d0089f
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/015252d4-e8c7-473a-9ad1-21adcd4268fd/
Parent samples :
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
af7526d30d40da60e83b0423f338f0740886321eadaae86ce16c10af44e44c3e
c0c4cf3a74e70f837e73f44ed95789946b02de457b6155ddc4e14a9441f92048
4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
SH256 hash:
4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
MD5 hash:
5c4f11f182d70c0e379cbd8e74d3a23a
SHA1 hash:
74b21db750ba635fef711d67028cec8946ecb506
Link:
https://www.unpac.me/results/015252d4-e8c7-473a-9ad1-21adcd4268fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/199345/
  
URLhaus
https://urlhaus.abuse.ch/url/1705531/
  
Delivery method
Distributed via web download

Comments