MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef
SHA3-384 hash: 5e465394c4a1b15018fb00b05360bafbade1145e2c062f24b1b38a06701df77f94fe7fbf0a3d600b8e087104fe6a7022
SHA1 hash: a3d5ba1050af75c889a8f5d38915d9ba2e33ecd0
MD5 hash: b7fc49c0ae002f03d2e4483dbc930bec
humanhash: double-winter-zulu-mockingbird
File name:6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef
Download: download sample
Signature TrickBot
Create hunting rule
File size:507'904 bytes
First seen:2021-07-20 14:38:55 UTC
Last seen:2021-07-20 15:53:20 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 216d554ea2ea71d1271952610740e0b2 (1 x TrickBot)
ssdeep 6144:KjoQkvVY1OHxH1Tz32FYBUPA3XoLfQJtH+9c9TXFbN0ULq0bdtKZ8+0859Jo16C/:8NkNYkTzG6X4LH9KjFbf16s8Fb
Threatray 842 similar samples on MalwareBazaar
TLSH T17BB49EE02EC4C432E1A7103E1856D2A926FE7C51BB23FA5F67887A6E1E315835D35336
Reporter Anonymous
Tags:dll rob108 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172851/
Detection(s):
SecuriteInfo.com.LresultFromObject.29963.19087.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3219980-9f22-4c6a-9430-2830f9f58b6d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/819043
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451460 Sample: 4fZX8fJwHn Startdate: 20/07/2021 Architecture: WINDOWS Score: 96 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 Sigma detected: CobaltStrike Load by Rundll32 2->89 91 Machine Learning detection for sample 2->91 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        20 cmd.exe 1 10->20         started        22 rundll32.exe 10->22         started        dnsIp5 61 192.168.2.1 unknown unknown 16->61 81 Writes to foreign memory regions 16->81 83 Allocates memory in foreign processes 16->83 24 wermgr.exe 16->24         started        28 cmd.exe 16->28         started        30 rundll32.exe 20->30         started        32 wermgr.exe 22->32         started        34 cmd.exe 22->34         started        signatures6 process7 dnsIp8 75 190.197.55.254, 443, 49742, 49772 BelizeTelemediaLimitedBZ Belize 24->75 77 204.138.26.109, 443, 49741 NTT-COMMUNICATIONS-2914US United States 24->77 79 10 other IPs or domains 24->79 97 Hijacks the control flow in another process 24->97 99 May check the online IP address of the machine 24->99 101 Writes to foreign memory regions 24->101 105 2 other signatures 24->105 36 cmd.exe 11 24->36         started        41 cmd.exe 1 24->41         started        103 Allocates memory in foreign processes 30->103 43 wermgr.exe 30->43         started        45 cmd.exe 30->45         started        signatures9 process10 dnsIp11 63 5.181.80.128, 443, 49777 TELEHOUSE-ASBG Bulgaria 36->63 65 94.140.114.239, 443, 49775 NANO-ASLV Latvia 36->65 71 4 other IPs or domains 36->71 55 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 36->55 dropped 57 C:\Users\user\AppData\...\Login Data.bak, SQLite 36->57 dropped 59 C:\Users\user\AppData\Local\...\History.bak, SQLite 36->59 dropped 93 Tries to harvest and steal browser information (history, passwords, etc) 36->93 47 conhost.exe 36->47         started        49 conhost.exe 41->49         started        67 190.144.10.242, 443, 49768 TelmexColombiaSACO Colombia 43->67 69 74.85.157.139, 443, 49756 FUSEPR Puerto Rico 43->69 73 16 other IPs or domains 43->73 95 Writes to foreign memory regions 43->95 51 cmd.exe 1 43->51         started        file12 signatures13 process14 process15 53 conhost.exe 51->53         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 21:36:48 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
458844d1edad3253667e6eea0dc735a748e87ff784cbf12c80f05c15e96ec3d9
TrickBot
7d6688ec15f6fec19a2cc6743f3fe50f5dcf79d14f122f3ebdf844464c45abec
TrickBot
8a5ab991e0f8318707d517aee2a9a0689b5908050e17b6afce77e83544fcaaa8
TrickBot
c3f153bb4b44d9e0cb3cab0bf7eed03b8eea280b97756937dedbe74c7013a3d3
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
dea612148b5f17340638f8d3939c519013c5e28eb1aaacc2c026a1cbb885314b
TrickBot
e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
TrickBot
f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
TrickBot
fccb8dea9ab7e194eadc863a8e7658b9076fddd4b645b4241ab5b9a33997afcc
TrickBot
+ 832 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob108 banker trojan
Link:
https://tria.ge/reports/210720-ph5dwweypj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
d29b3fec32e0810a62005d27746b9667a0abee8ab78a877a89d4fce4a2d585a6
MD5 hash:
ab38343e9e5fd27f8fc9f4f61647f840
SHA1 hash:
f2d84041265151dd0856c8db234b39ae54047d69
Link:
https://www.unpac.me/results/1871a1af-2987-4a0e-95b8-1933b75de8fa/
SH256 hash:
f5a75742de47bb2740e0ffd41d6fbf1741f54f58659bf32a29c28ac1aff81be6
MD5 hash:
7c30867f2ebb42a557da4c55140b5bdd
SHA1 hash:
ca82330c91e6c69cb152a4efa2d5bf4e95668201
Link:
https://www.unpac.me/results/1871a1af-2987-4a0e-95b8-1933b75de8fa/
SH256 hash:
8727e6e555c37b1d8daafe36cb92482b72cc2675546a468f6a497390c63ceb6a
MD5 hash:
dc38cba49e4622189ed0e018aeabce7a
SHA1 hash:
591d4d78e4e558093539e51cfa91f8e173e087fe
Link:
https://www.unpac.me/results/1871a1af-2987-4a0e-95b8-1933b75de8fa/
SH256 hash:
79618db31363f9d5cf3f4e9aa33b8fc87a43968568524c5828c05e2cba18c1d9
MD5 hash:
87747531e2046f870562d7e2e36487ea
SHA1 hash:
57635637d347659eeef2d3715a643bf4e722bb11
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1871a1af-2987-4a0e-95b8-1933b75de8fa/
SH256 hash:
6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef
MD5 hash:
b7fc49c0ae002f03d2e4483dbc930bec
SHA1 hash:
a3d5ba1050af75c889a8f5d38915d9ba2e33ecd0
Link:
https://www.unpac.me/results/1871a1af-2987-4a0e-95b8-1933b75de8fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172851/

Comments