MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
SHA3-384 hash: cb8756bfacb90a53cbe40f97dde93d74cb779fe6d4aed09eb1577e939c77922fd22fd7485ebd1ebba62f7f00f8f53501
SHA1 hash: 377859b3d44cd40f21fb20b682169b447c0e8fb2
MD5 hash: a3e7540eaef734b4f74c23bfda1023a0
humanhash: apart-kitten-delta-zulu
File name:subzero.png.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:723'456 bytes
First seen:2021-10-21 15:18:13 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0287a7604016003972a047b182e6c22a (4 x TrickBot)
ssdeep 12288:7NP2qgMhn9VbKac3cM15xIKR5pduDkgcKOuCEUz+ovYJXA8ZRA5cXO/+uBY2F0cC:RPp2abM15xIxD4KXJg/vYRbKDBhF1TSz
Threatray 12 similar samples on MalwareBazaar
TLSH T126F4AFD59A5296D7FA46CC3AC30065A7C4D71F329A61F0F5EC0B2213BDB39A28476B13
Reporter info_sec_ca
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199125/
Detection(s):
SecuriteInfo.com.ML.PE-A.24062.1028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/617184e8db358dd15eceb763/reports/02c8d88d-96a9-4903-99cc-94e90e319b5a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c089e8d4-fa89-4ce4-85d7-31bdcf98497c
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874690
Signature
Allocates memory in foreign processes
Delayed program exit found
Found detection on Joe Sandbox Cloud Basic with higher score
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759 Sample: subzero.png.dll Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 51 wtfismyip.com 2->51 53 checkip.eu-west-1.prod.check-ip.aws.a2z.com 2->53 55 5 other IPs or domains 2->55 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 8 other signatures 2->75 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 process5 15 rundll32.exe 9->15         started        18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        22 rundll32.exe 11->22         started        signatures6 87 Writes to foreign memory regions 15->87 89 Allocates memory in foreign processes 15->89 91 Delayed program exit found 15->91 24 wermgr.exe 15->24         started        28 cmd.exe 15->28         started        30 rundll32.exe 18->30         started        32 wermgr.exe 20->32         started        34 cmd.exe 20->34         started        36 wermgr.exe 22->36         started        38 cmd.exe 22->38         started        process7 dnsIp8 57 75.176.235.182, 443, 49814 TWC-11426-CAROLINASUS United States 24->57 59 128.201.76.252, 443, 49799, 49805 PedroFArrudaJuniorMEBR Brazil 24->59 61 checkip.eu-west-1.prod.check-ip.aws.a2z.com 52.209.94.10, 49804, 80 AMAZON-02US United States 24->61 77 Hijacks the control flow in another process 24->77 40 svchost.exe 24->40         started        79 Writes to foreign memory regions 30->79 81 Allocates memory in foreign processes 30->81 42 wermgr.exe 3 30->42         started        47 cmd.exe 30->47         started        signatures9 process10 dnsIp11 63 46.99.175.217, 443, 49798, 49801 IPKO-ASAL Albania 42->63 65 wtfismyip.com 84.22.120.25, 49800, 80 TILAANL Germany 42->65 67 5.152.175.57, 443, 49829 SKYLOGIC-ASIT Spain 42->67 49 C:\Users\user\AppData\...\eysubzero.pngou.dmo, PE32 42->49 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 42->83 85 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 42->85 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b/
Threat name:
Win32.Trojan.KryptikAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 15:19:06 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31
TrickBot
0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d
TrickBot
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
TrickBot
45b7ef5a55cbcddb1f21415450ee982ebdafac1cf3a57e62acb8d014bc797dfc
TrickBot
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
TrickBot
d3fd3711c2dcff75bf015624ac6ac8f258fbd0229cf7cd4cb5f4eaba6ec32033
TrickBot
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
TrickBot
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
TrickBot
+ 2 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob136 banker trojan
Link:
https://tria.ge/reports/211021-sp6wxaaea5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
fe4113b32c3d774ac5210a04b6e0e339a93770edb97bfd004e1f5448ccba851d
MD5 hash:
4be9f19c34ee551f4c889f1c2f0fd469
SHA1 hash:
992d028dedbec8de291552613eccc39b96dd5d17
Link:
https://www.unpac.me/results/c447970a-f54d-48c8-8b1b-9620c443f869/
SH256 hash:
b2c4e3e3eacf501232242e9a340dfe29776ae79685e5cb7bdb25dcb168c793c3
MD5 hash:
5003d5e55f514b8f18d0c3b5d2942e2c
SHA1 hash:
5a197cabd54e8fdc40ee1bbce711ed3879d0089f
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c447970a-f54d-48c8-8b1b-9620c443f869/
Parent samples :
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
af7526d30d40da60e83b0423f338f0740886321eadaae86ce16c10af44e44c3e
c0c4cf3a74e70f837e73f44ed95789946b02de457b6155ddc4e14a9441f92048
4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
SH256 hash:
65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
MD5 hash:
a3e7540eaef734b4f74c23bfda1023a0
SHA1 hash:
377859b3d44cd40f21fb20b682169b447c0e8fb2
Link:
https://www.unpac.me/results/c447970a-f54d-48c8-8b1b-9620c443f869/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199125/

Comments