MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
SHA3-384 hash: c6bbad5e89f3a1f4b63830514d468bb2158516b61ac1bbaeb50cf6c1df32a23186d0641471bd919e600929a8fbf838e1
SHA1 hash: f9765d2e54784151519b6d755118edd01e55c51d
MD5 hash: 8dd7c961c9cdbd69e9a5d86d7809fc50
humanhash: indigo-stream-hot-west
File name:wfhG.bin
Download: download sample
Signature TrickBot
Create hunting rule
File size:632'320 bytes
First seen:2021-07-27 00:26:18 UTC
Last seen:2021-07-27 15:38:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c5fccb41822a3f434586ee8cc221f1e8 (1 x TrickBot)
ssdeep 12288:NRd40nqiQQuVRe+vFIRiEPH8nzjDAL2dUIvltfWZ5QCR8URd5Jr:7RVQQuVdFQ8nzgLJIdt0mURPB
Threatray 904 similar samples on MalwareBazaar
TLSH T157D4BE21B790C036C1AE31306526E77965ADBE318FF587C77F806A7D5E341D28A38B1A
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter malware_traffic
Tags:dll rob112 TrickBot


Avatar
malware_traffic
Run method: Rundll32.exe [filename],StartW

Intelligence

File Origin
# of uploads :
4
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174220/
Detection(s):
SecuriteInfo.com.LresultFromObject.10011.2122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3acbac0-419a-41dc-b7ad-e332acac2c2b
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822065
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 454477 Sample: wfhG.bin Startdate: 27/07/2021 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 2 other signatures 2->73 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 61 Hijacks the control flow in another process 16->61 63 Writes to foreign memory regions 16->63 65 Allocates memory in foreign processes 16->65 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 55 24.162.214.166, 443, 49737, 49739 TWC-11427-TEXASUS United States 23->55 57 185.56.76.94, 443 GRUPOINFOSHOPES Spain 23->57 59 8 other IPs or domains 23->59 77 May check the online IP address of the machine 23->77 79 Writes to foreign memory regions 23->79 81 Tries to detect virtualization through RDTSC time measurements 23->81 83 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->83 35 cmd.exe 1 23->35         started        85 Allocates memory in foreign processes 29->85 37 wermgr.exe 29->37         started        41 cmd.exe 29->41         started        signatures8 process9 dnsIp10 43 conhost.exe 35->43         started        49 148.235.154.164, 443, 49754 UninetSAdeCVMX Mexico 37->49 51 60.51.47.65, 443, 49742, 49744 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 37->51 53 14 other IPs or domains 37->53 75 Writes to foreign memory regions 37->75 45 cmd.exe 1 37->45         started        signatures11 process12 process13 47 conhost.exe 45->47         started       
Gathering data
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 22:52:44 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
TrickBot
1c8a67342a601e649f56e32383fecea6d62036a38a7edd2991bfd0e3323fd5f4
TrickBot
7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1
TrickBot
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
TrickBot
cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
TrickBot
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
TrickBot
+ 894 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob112 banker trojan
Link:
https://tria.ge/reports/210727-hvt9ny2jd2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
75e46e274d626461b74c9ff206bd6de4e06cf1b44a65e5f3339992ea98b1715c
MD5 hash:
d89910ae592ce85c39e8e1a8270dfdb8
SHA1 hash:
cf514ec107a177ed5921b61ce1ee93bf52cba268
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c409c14b-f8f9-45bc-8991-8009c5f5b3bd/
Parent samples :
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
SH256 hash:
f3aa731abf6aa0a7847d0c65ee04185bcbb6446b5d4239dc5b7a26b6d10ebc57
MD5 hash:
02cb0e10e23f68a5a74053a88b6cbe6b
SHA1 hash:
647506f03188f0c336c43e8a7b39a6b6c43b42b8
Link:
https://www.unpac.me/results/c409c14b-f8f9-45bc-8991-8009c5f5b3bd/
SH256 hash:
586c75fda691a9d541c26ca33f81628bbb78bcdeb772932f7204056396addf9b
MD5 hash:
da63d4cbf0709558b1bcdb51c197e5bc
SHA1 hash:
4c1f3e3520b3c7ae796a37cb72d47b3a481bb641
Link:
https://www.unpac.me/results/c409c14b-f8f9-45bc-8991-8009c5f5b3bd/
SH256 hash:
019d078098150a574d6f7e66b5eaef5a1cd2aca48f9b64ca921a4b7b0925bf82
MD5 hash:
4be792c280e767937b4efb6d345d2492
SHA1 hash:
3e1836e5c6f1a07bb221de1c2ef2f120d3dff30e
Link:
https://www.unpac.me/results/c409c14b-f8f9-45bc-8991-8009c5f5b3bd/
SH256 hash:
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
MD5 hash:
8dd7c961c9cdbd69e9a5d86d7809fc50
SHA1 hash:
f9765d2e54784151519b6d755118edd01e55c51d
Link:
https://www.unpac.me/results/c409c14b-f8f9-45bc-8991-8009c5f5b3bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/174220/
  
URLhaus
https://urlhaus.abuse.ch/url/1484241/
  
Delivery method
Distributed via web download

Comments