MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
SHA3-384 hash: 087cc8d9423f85e857a89de3cdd60ca917d1b06e660a95c51fc42672beb118452baa1d746d2cee9efad0267792927474
SHA1 hash: 9a39b6a0e942b3d7efda50285ce754f3ca86f3fd
MD5 hash: ca01a71ccc8a2fa1d0f5573fb61ea336
humanhash: sad-grey-east-louisiana
File name:ca01a71c_by_Libranalysis
Download: download sample
Signature TrickBot
Create hunting rule
File size:413'696 bytes
First seen:2021-05-06 15:03:11 UTC
Last seen:2021-05-06 16:02:05 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 88cc056314d3e98bc2df177b4a530af1 (1 x TrickBot)
ssdeep 6144:khrKSoVwO2YQ8D4HHUSrSfB2EEWnFez575akXEU4FS1PudwlnXk:4noVwtYQ8zRfZl6574k09Vd+
Threatray 1'570 similar samples on MalwareBazaar
TLSH FC94E11139E1C475E5AF113D09369B3A1BB7FC22CFB1D6CB67809E4D9C329819D2A326
Reporter Libranalysis
Tags:TrickBot


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151714/
Detection(s):
SecuriteInfo.com.generic.ml.9969.16154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/714310
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses Windows timers to delay execution
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 406087 Sample: ca01a71c_by_Libranalysis.dll Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Trickbot 2->42 44 Yara detected Trickbot 2->44 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        signatures5 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 Uses Windows timers to delay execution 10->50 52 Delayed program exit found 10->52 17 wermgr.exe 10->17         started        20 rundll32.exe 13->20         started        22 wermgr.exe 15->22         started        process6 signatures7 26 Found potential dummy code loops (likely to delay analysis) 17->26 28 Tries to detect virtualization through RDTSC time measurements 17->28 30 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 17->30 32 Writes to foreign memory regions 20->32 34 Allocates memory in foreign processes 20->34 36 Uses Windows timers to delay execution 20->36 24 wermgr.exe 20->24         started        process8
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 15:04:08 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6g6qgnl6xyawkhkvkbdsfu2bctvaufe34tp4phfwjrnnr5wzmsa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2
TrickBot
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
TrickBot
2912dc387b23031fe0bae16d60c066d1837781b14eacaad14a28bbf69f7f0196
TrickBot
2bc02aabacf3e4ad8d40be9fe0d22deaeee53782f77e2803adcb27b450fa23cf
TrickBot
3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
TrickBot
a3cebf31e185cfae066634a108c3bee7de5c32475411c5398525e2e2caf00d80
TrickBot
e4c2e4b74dec6920092f848ad4df6c489c18ecfb928cc10fbabe865a15958dc3
TrickBot
ea334250dda64c740a8e06ca7c1717e972a0d524011880c7ff05b1e35a881215
TrickBot
f19f135e7f8785f2aa1a6351dcc420194d99b2f69e5323c99b24dcbf6a7ba632
TrickBot
f5e103d4ae71ed138bc80e4a7a909c26ad6be88238269643141d3f5043e4ff13
TrickBot
+ 1'560 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob73 banker trojan
Link:
https://tria.ge/reports/210506-gf2ct8b2x6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Unpacked files
SH256 hash:
013f6a9a5761121b8013e5d3e0cb49e8327c6cd39eb91c6f9e273f6845d6ed4f
MD5 hash:
c38132b15d969f4b87fa5a53eb52b90c
SHA1 hash:
e6476b5ec3f85f1c370ef6d81ff0d7af1050d8d0
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f97baf65-0ffe-4e60-939c-73482a2dc943/
SH256 hash:
2efafa4eef324992a6ffe8bf3519fc07a22cdc71f830f1fa7506c1145c255b8c
MD5 hash:
568bc1766aef23197cffdeb90b6ba8a5
SHA1 hash:
e17e548c5cbbd67a99ecd02daf568eed6899a660
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/f97baf65-0ffe-4e60-939c-73482a2dc943/
SH256 hash:
37089091ff4c2a69e4f63ad682205becc5ce68298f9cb3eeeaaf08334e75995b
MD5 hash:
965493e811c58bea4d01ea47b3c950cc
SHA1 hash:
390bbdf613fc4cf3799e3f62277bb8d601ca1bf7
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/f97baf65-0ffe-4e60-939c-73482a2dc943/
SH256 hash:
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
MD5 hash:
ca01a71ccc8a2fa1d0f5573fb61ea336
SHA1 hash:
9a39b6a0e942b3d7efda50285ce754f3ca86f3fd
Link:
https://www.unpac.me/results/f97baf65-0ffe-4e60-939c-73482a2dc943/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151714/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 16:11:39 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [F0002.001] Collection::Application Hook
2) [F0002.002] Collection::Polling
3) [B0030.002] Command and Control::Receive Data
4) [C0002.006] Communication Micro-objective::Download URL::HTTP Communication
5) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
6) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
7) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
8) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
9) [C0026.002] Data Micro-objective::XOR::Encode Data
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0052] File System Micro-objective::Writes File
15) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
19) [C0040] Process Micro-objective::Allocate Thread Local Storage
20) [C0038] Process Micro-objective::Create Thread
21) [C0054] Process Micro-objective::Resume Thread
22) [C0041] Process Micro-objective::Set Thread Local Storage Value
23) [C0018] Process Micro-objective::Terminate Process