MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9
SHA3-384 hash: 514078ff9ce503783dc05b9017c143b3cbd5a9d39d03f673ef23fae450cfd46134dc54d9a6987ffdf99f2e1f9bd1499c
SHA1 hash: f4dae0a6e298a594faa76aac8f362030226fab77
MD5 hash: a7ddc63878394313d1a854e22b1c323f
humanhash: august-video-nitrogen-lake
File name:ACT96MC98SD.bin
Download: download sample
Signature TrickBot
Create hunting rule
File size:266'240 bytes
First seen:2020-10-24 07:17:56 UTC
Last seen:2020-10-24 07:58:25 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 987d64010842398d46662bc5abb01981 (1 x TrickBot)
ssdeep 6144:rpmh0Pis7qmjvEp5z2Ju+txMWbXoUy/DaW/DnyifWTOG4hcKGCcAwZaN1:rpgmis7zEv2JuijyDaW/DNcKGCc
Threatray 33 similar samples on MalwareBazaar
TLSH 07441246606468F0EA6186748187EF07DB7F982166E428972FFD1E86FF212E06537363
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75186/
Detection(s):
SecuriteInfo.com.Generic.mg.a7ddc63878394313.20752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/508584
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303410 Sample: ACT96MC98SD.bin Startdate: 24/10/2020 Architecture: WINDOWS Score: 60 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Machine Learning detection for sample 2->31 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 2 8->12         started        process5 14 iexplore.exe 2 84 10->14         started        16 WerFault.exe 23 9 12->16         started        process6 18 iexplore.exe 5 154 14->18         started        dnsIp7 21 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49761, 49762 FASTLYUS United States 18->21 23 www.msn.com 18->23 25 7 other IPs or domains 18->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-24 07:19:04 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6poic35o2yirtx2jegbgi322w6pvqmv3o5mglk7ctiaege7uleq._file
Verdict:
malicious
Similar samples:
0301ceff4ae136d0e349a096fdbb77617ac2d15e318a5846ccf52e91ecbaa2bc
TrickBot
03ca6728b986793c50078f548f1a9110d43a3f7aa08bc167fd17757156a1e744
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
2476550bd33cd834fa3a3927eb30de299621870f50b5f0265453d10c74d65c55
TrickBot
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
TrickBot
6ae3a03a68a4a6ce72eddae2943476e1e43938758ab1123168e76dff0aebcb31
TrickBot
752491c57c15c686f143528a86da3db2cd1c4bc0513a2dcbef8d2ee47520f84e
TrickBot
7fee0f3adb6bb5a3ed22ad960709a87893e2512d099f6c8c39946097d9a4122b
TrickBot
d314ff883243444f1853614759a5ec7af96a1829cebdeaa283fc1051e4261ffa
TrickBot
fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4
TrickBot
+ 23 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/201024-ejsr16d3q6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
45.67.231.68:443
92.62.65.163:449
186.159.8.218:449
200.116.232.186:449
36.91.87.227:449
103.76.169.213:449
181.143.186.42:449
179.127.88.41:449
103.66.10.87:449
199.38.120.77:449
208.86.162.249:449
199.38.120.90:449
Unpacked files
SH256 hash:
a45ea8e8bd55df26edd437fa4b23b67f376318ffd732aff656db8f5417c03073
MD5 hash:
cb2c8cd10404dfe9518eb7b16e92c195
SHA1 hash:
6ab15ab8c4eeb64b9a92948b05725e5a856f21e7
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/0c4228b3-c88b-408f-894a-f1cae1612bab/
SH256 hash:
321dc798dbc83bb374b210d360d6ff3732f64576281f8beefe608ac5ee5d03a5
MD5 hash:
d8cb547f3a2524187b80230b2f58b02b
SHA1 hash:
aab1dd04f0ba3e640371d21a309ae4c05ff8c280
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/0c4228b3-c88b-408f-894a-f1cae1612bab/
SH256 hash:
41a8b564613b51886245529be1e15dcd37f472916092670f8521dc51cafae164
MD5 hash:
a022dc090571bd6051869ac703c9dad2
SHA1 hash:
eb1114471e329df8b714ddeb29d61413e8701a3e
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/0c4228b3-c88b-408f-894a-f1cae1612bab/
SH256 hash:
4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9
MD5 hash:
a7ddc63878394313d1a854e22b1c323f
SHA1 hash:
f4dae0a6e298a594faa76aac8f362030226fab77
Link:
https://www.unpac.me/results/0c4228b3-c88b-408f-894a-f1cae1612bab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/abuse_ch/status/1319893780166856705?s=20
Cape
Cape
https://www.capesandbox.com/analysis/75186/

Comments