MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
SHA3-384 hash: 6787a7d6cd0bcddd6680161b253035246598916a88c9256906d853abfd3dbc554ea8b2dc3858179a4860ff5c6e4c35f1
SHA1 hash: cf1c05d670381dabf7736874655e0998f318ac9f
MD5 hash: 296686ae5812e910d79d472f6db4f00d
humanhash: whiskey-dakota-butter-river
File name:documents.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:716'851 bytes
First seen:2021-08-18 07:15:04 UTC
Last seen:2021-08-18 10:55:45 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 0293ee5688b0a5f1cbe136d065e99917 (3 x TrickBot)
ssdeep 12288:C+Ffmf1EHyvwS0quEuY4qNA2ub3qanS0bW2LuCbtOQniX6Fz:9SvwlquEB79ubaaSCvftfniX0z
Threatray 1'529 similar samples on MalwareBazaar
TLSH T1ECE4D012F5D1C0B6C2AE16302B177BB963F9ECA17DB9D507E744F74F1E329029626222
dhash icon ceaaba8e92a870b0 (3 x TrickBot)
Reporter JAMESWT_WT
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180221/
Detection(s):
SecuriteInfo.com.Variant.Zusy.398038.24392.8208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b66aed4a-200d-4478-9ef4-11bf5c66e343
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834916
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467347 Sample: documents.exe Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Found malware configuration 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 9->20         started        signatures5 22 rundll32.exe 15->22         started        70 Writes to foreign memory regions 17->70 72 Allocates memory in foreign processes 17->72 25 wermgr.exe 17->25         started        28 cmd.exe 17->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 86 Writes to foreign memory regions 22->86 88 Allocates memory in foreign processes 22->88 34 wermgr.exe 22->34         started        38 cmd.exe 22->38         started        64 75.176.235.182, 443, 49711 TWC-11426-CAROLINASUS United States 25->64 66 46.99.175.217, 443, 49699, 49703 IPKO-ASAL Albania 25->66 68 7 other IPs or domains 25->68 90 Hijacks the control flow in another process 25->90 92 May check the online IP address of the machine 25->92 94 Tries to detect virtualization through RDTSC time measurements 25->94 96 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->96 40 svchost.exe 5 25->40         started        42 svchost.exe 25->42         started        signatures8 process9 dnsIp10 58 185.56.175.122, 443, 49713, 49718 VIRTUAOPERATOR-ASPL Poland 34->58 60 216.166.148.187, 443 CYBERNET1US United States 34->60 62 10 other IPs or domains 34->62 82 Hijacks the control flow in another process 34->82 84 Writes to foreign memory regions 34->84 44 svchost.exe 5 34->44         started        48 svchost.exe 34->48         started        signatures11 process12 file13 50 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 44->50 dropped 52 C:\Users\user\AppData\...\Login Data.bak, SQLite 44->52 dropped 54 C:\Users\user\AppData\Local\...\History.bak, SQLite 44->54 dropped 56 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 44->56 dropped 98 Tries to harvest and steal browser information (history, passwords, etc) 44->98 signatures14
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce/
Threat name:
Win32.Trojan.TrickBotCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 07:15:13 UTC
File Type:
PE (Dll)
Extracted files:
30
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
145922b0a4d90db4438ca924535a6f058472744a29b3a4f2875846a84bd41b99
TrickBot
2181358d62d130161a6a06e4b3a9081a2da06a363f6918a5b1345c36775bb315
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
58eb3b6a9dd371f2b5c39166f7f52d0fdaa6ec8a32962221cf4f44a47c3e67e7
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
ff460f5b7a62a1fcd51e82bf43fc7b5264552c53e3924ffb771d7c8355a99ade
TrickBot
+ 1'519 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob122 banker trojan
Link:
https://tria.ge/reports/210818-qp2htqsqje/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
6f49a15c911af98ee94e62b1b81600ffce5c22832ce7dcf436471debc2a2a209
MD5 hash:
047fbd38483009cb4456edb0374b6cf1
SHA1 hash:
91499129c20d028fe7dfd24878725f345d70b589
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/43ddadff-5be0-4826-b73d-136b652851b4/
Parent samples :
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
SH256 hash:
ee7f7f53d9afafdc1553658d3382647e7d9db8e890d1ce8347e3ee52f1824222
MD5 hash:
c867c0747a12c29535b1f323e04f5ac8
SHA1 hash:
3e24f4a2fa09ef47abfb721bc6d26e020d116465
Link:
https://www.unpac.me/results/43ddadff-5be0-4826-b73d-136b652851b4/
SH256 hash:
b9f41cc8df28cf8645769e486df59fe32aa0a5b29f891edb05b00544959d8030
MD5 hash:
c94c7ca4577cf2fa627e0d8791015ff7
SHA1 hash:
3b1c9105e1c1f7e74bad7138ff26698e0f977da5
Link:
https://www.unpac.me/results/43ddadff-5be0-4826-b73d-136b652851b4/
SH256 hash:
948e4fa0294f376eb4ee1528dd9ad261e02c8fc21e545d166d87f22c062ace0a
MD5 hash:
18fb8ac7679fbf67e107895de3272232
SHA1 hash:
39a316f5544656729e3ab8e1298a3820c8167e69
Link:
https://www.unpac.me/results/43ddadff-5be0-4826-b73d-136b652851b4/
SH256 hash:
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
MD5 hash:
296686ae5812e910d79d472f6db4f00d
SHA1 hash:
cf1c05d670381dabf7736874655e0998f318ac9f
Link:
https://www.unpac.me/results/43ddadff-5be0-4826-b73d-136b652851b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180221/
  
URLhaus
https://urlhaus.abuse.ch/url/1543854/

Comments