MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
SHA3-384 hash: 532b417f1df59d60776c013f9434b10d87bd806611fe9a6cdd3b10c88d8be0c3da5e601855511af4cd7c3e31d24a1ae2
SHA1 hash: 42f895bad095a6649558de805e3b7225d0975f3e
MD5 hash: 81441b435cd16c6f118cafda5b70caf3
humanhash: nitrogen-fifteen-sad-nebraska
File name:mwconvertLinkGlobalng.trd.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:663'128 bytes
First seen:2021-06-29 19:15:24 UTC
Last seen:2021-06-29 19:55:39 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c804679f5a614e86a4a62411d1383e52 (1 x TrickBot)
ssdeep 12288:VZi+2vGEnYMVu700TCi941dWXRMKsUIKoNxKq2FZheiWz0fcPeMI:iYEnYMUGmIeDIKoNxg0kJMI
TLSH 0BE4C0332905402BD498017FA5B97305CAEEE82246E6F15FFC69F1DC88279921BEC95F
Reporter James_inthe_box
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168803/
Detection(s):
SecuriteInfo.com.generic.ml.15484.7157.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/49623c59-c56d-4097-8445-1785250c2cf5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/809620
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442029 Sample: mwconvertLinkGlobalng.trd.dll Startdate: 29/06/2021 Architecture: WINDOWS Score: 80 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Multi AV Scanner detection for submitted file 2->64 9 loaddll32.exe 1 2->9         started        12 rundll32.exe 2->12         started        process3 signatures4 66 Writes to foreign memory regions 9->66 68 Allocates memory in foreign processes 9->68 14 rundll32.exe 9->14         started        17 wermgr.exe 9->17         started        20 cmd.exe 1 9->20         started        22 2 other processes 9->22 process5 dnsIp6 76 Hijacks the control flow in another process 14->76 78 Writes to foreign memory regions 14->78 80 Allocates memory in foreign processes 14->80 24 wermgr.exe 14->24         started        44 190.109.204.126, 443, 49787 METROREDSADECVHN Honduras 17->44 46 ident.me 176.58.123.25, 443, 49773 LINODE-APLinodeLLCUS United Kingdom 17->46 48 6 other IPs or domains 17->48 82 Tries to detect virtualization through RDTSC time measurements 17->82 84 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 17->84 28 cmd.exe 17->28         started        30 rundll32.exe 20->30         started        32 WerFault.exe 23 9 22->32         started        34 iexplore.exe 156 22->34         started        signatures7 process8 dnsIp9 50 116.212.152.225, 443, 49791 MEKONGNET-ADC-AS-APANGKORDATACOMMUNICATIONKH Cambodia 24->50 52 14.232.161.45, 443, 49777, 49790 VNPT-AS-VNVNPTCorpVN Viet Nam 24->52 58 7 other IPs or domains 24->58 36 cmd.exe 24->36         started        38 conhost.exe 28->38         started        70 Writes to foreign memory regions 30->70 72 Allocates memory in foreign processes 30->72 40 wermgr.exe 30->40         started        74 Tries to evade analysis by execution special instruction which cause usermode exception 32->74 54 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49754, 49755 YAHOO-DEBDE United Kingdom 34->54 56 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49757, 49758 FASTLYUS United States 34->56 60 10 other IPs or domains 34->60 signatures10 process11 process12 42 conhost.exe 36->42         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1/
Threat name:
Win32.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 19:15:13 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:zev1 banker trojan
Link:
https://tria.ge/reports/210629-ylame6s8ze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
Unpacked files
SH256 hash:
f88652521a9049eaf819f12da8f9ea0e5a2bb5087db5bfae092a94786368bcd0
MD5 hash:
5213480e70edbe036271d787cc1ea519
SHA1 hash:
fdad9d623f0def6d5b19c5754b91e867860fb027
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5897efe-4d9d-4324-9e1d-2213ef76652d/
SH256 hash:
0fbace96d23631aaea9a11ed4a23fee5256d777e6b4a212a5c747d703b29ceea
MD5 hash:
8d32c47713142e3ecc8ed1d4d0373034
SHA1 hash:
603e97c1b1fc12abff156b0a6a4c6503c4150c5e
Link:
https://www.unpac.me/results/c5897efe-4d9d-4324-9e1d-2213ef76652d/
SH256 hash:
027e2698355b2a50966a130c43be47cdcf9cb8e6fb9ec388a481f3965571d2ea
MD5 hash:
d5aaac69127b81ae9a3f7da74217320a
SHA1 hash:
0ca623b5715b079c4115edfb9e16f6d246be89b5
Link:
https://www.unpac.me/results/c5897efe-4d9d-4324-9e1d-2213ef76652d/
SH256 hash:
684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
MD5 hash:
81441b435cd16c6f118cafda5b70caf3
SHA1 hash:
42f895bad095a6649558de805e3b7225d0975f3e
Link:
https://www.unpac.me/results/c5897efe-4d9d-4324-9e1d-2213ef76652d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/168803/

Comments