MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
SHA3-384 hash: b0c03e9295282c0c5b1a57041c05caeb8a1884e12382be921e3509b2776477cc30769d7d0db8283ee2b80bef503ccd6a
SHA1 hash: f158ca6c7b99c22f387c1c295cc465934fd341dc
MD5 hash: 2579509c702db759221ad5e279bc4b28
humanhash: cat-uniform-juliet-snake
File name:dAEhsrJ.pdf
Download: download sample
Signature TrickBot
Create hunting rule
File size:590'336 bytes
First seen:2021-08-02 15:58:16 UTC
Last seen:2021-08-02 19:42:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b29b82f2eb87e4f684ab680db98e1b5d (1 x TrickBot)
ssdeep 12288:N60Dsb0NqNeD5K2wlmvZJl6Y6Vs3pULHVDxqhXsqiVj:N6OsGq4D5K2FZJk+Z4pwtsXt
Threatray 3'667 similar samples on MalwareBazaar
TLSH T1B9C4BF217780C436C69A35355917E37526EDBC709EE1C387BFD43A3D6E321F29A2824A
dhash icon 71f8f0e0f2ea78b9 (3 x TrickBot, 1 x BazaLoader)
Reporter abuse_ch
Tags:dll rob118 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://grupotopbem.com.br/ashkere.php
https://docs.zohopublic.com/downloaddocument.do?docId=a9j4k534bed0120cb402a805aec3eda2c8ffc&docExtn=pdf

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
3
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175842/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2822915b-c413-434a-9c39-131453b0a14a
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/825615
Signature
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458027 Sample: dAEhsrJ.pdf Startdate: 02/08/2021 Architecture: WINDOWS Score: 22 20 Initial sample is a PE file and has a suspicious name 2->20 7 AcroRd32.exe 37 2->7         started        process3 process4 9 RdrCEF.exe 44 7->9         started        12 AcroRd32.exe 2 5 7->12         started        dnsIp5 18 192.168.2.1 unknown unknown 9->18 14 RdrCEF.exe 9->14         started        16 RdrCEF.exe 9->16         started        process6
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 15:59:03 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqyqmjepebw254x6iz7lib7ytdiewp5f42oor75rhvovojw5ry4a._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
TrickBot
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
TrickBot
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
TrickBot
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
TrickBot
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
TrickBot
dbdf67590cfb1a76b02700a7c91c11ddf0c75f5963e6d56020e983e15a65c5d9
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
+ 3'657 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob118 banker trojan
Link:
https://tria.ge/reports/210802-wwrtxtqw3a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
ed17884d26767ca2db174f41b5197d43c2ebd26055e8d5a767b881bc82c06ba4
MD5 hash:
e4b01cbccf41851f08098b4bfe9c0a47
SHA1 hash:
e63f3211eb8d4f8df25b1d33a4cc4b4e8d163bf3
Link:
https://www.unpac.me/results/de000d1c-c925-4e7c-b87b-b7f861dfce43/
SH256 hash:
7db5bf06cfc04592c6cdffbf334f3be7342ee28e7823414c43269f496aff0a96
MD5 hash:
a282b28e3f78bda8093e9dddcbd77763
SHA1 hash:
bc70555d077ecbc73585340221f79b409d927603
Link:
https://www.unpac.me/results/de000d1c-c925-4e7c-b87b-b7f861dfce43/
SH256 hash:
a98f817a376b364cee5e4498eb8685838df2c69f515767d1924e462c2f62e2a3
MD5 hash:
ed618cbb5754c81ef7b99cc9f7dbdc63
SHA1 hash:
873bcb3b47d9b4d58ef57bb427c0f4c1b03fa815
Link:
https://www.unpac.me/results/de000d1c-c925-4e7c-b87b-b7f861dfce43/
SH256 hash:
20802ad8a4dfce3ce45c7d7b26315ce78f75257447f0a198412c3e13119fedeb
MD5 hash:
72111999275d62436965730deac23a85
SHA1 hash:
39d7c50af24c0245cc633028b44c39bfdb6f7e9e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/de000d1c-c925-4e7c-b87b-b7f861dfce43/
Parent samples :
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
SH256 hash:
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
MD5 hash:
2579509c702db759221ad5e279bc4b28
SHA1 hash:
f158ca6c7b99c22f387c1c295cc465934fd341dc
Link:
https://www.unpac.me/results/de000d1c-c925-4e7c-b87b-b7f861dfce43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38

File information

The table below shows additional information about this malware sample such as delivery method and external references.

TrickBot

Java Script (JS) js 413c5a0248b64d0e73839c985e4b127c039c7c57075e41094987aaaf295206ff

TrickBot

DLL dll 5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1500166/
  
Dropped by
SHA256 413c5a0248b64d0e73839c985e4b127c039c7c57075e41094987aaaf295206ff
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175842/
  
URLhaus
https://urlhaus.abuse.ch/url/1500454/
  
URLhaus
https://urlhaus.abuse.ch/url/1500455/

Comments