MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f
SHA3-384 hash: 4f62d146ae53ff3a4eb5bf4c252a83d826dee0bd792bd2a4321cd5aac01a9fce3473b41d0c0a5cf268c5336b0d373592
SHA1 hash: 75ec793fca165eec14e23fca515ce156ff7891b1
MD5 hash: 0de9a282af4e4ddd7811760ed4693a0d
humanhash: beryllium-crazy-zulu-nine
File name:zizy3
Download: download sample
Signature TrickBot
Create hunting rule
File size:551'037 bytes
First seen:2021-07-09 18:51:23 UTC
Last seen:2021-07-09 19:47:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash afa2ec665dcca67fcd2e07f1a276b8c0 (2 x TrickBot)
ssdeep 12288:QNt556/s8v1D73K+jBbovtDVYcI1SfJFheeB2a:QC/s6D73K+RCtDV5JFZMa
Threatray 806 similar samples on MalwareBazaar
TLSH T1EEC4CF107784C431C1EE25315526A7B966E9BD31AFF4C2C7BFD02A7D6E312C29A3835A
Reporter malwarelabnet
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170735/
Detection(s):
SecuriteInfo.com.Win32.TrickBot.DX.19181.14862.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fce21621-2e84-4cbb-96c1-34683043d309
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/814185
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446596 Sample: zizy3 Startdate: 09/07/2021 Architecture: WINDOWS Score: 80 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Found malware configuration 2->87 89 Yara detected Trickbot 2->89 10 loaddll32.exe 1 2->10         started        13 regsvr32.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 signatures4 95 Writes to foreign memory regions 10->95 97 Allocates memory in foreign processes 10->97 19 regsvr32.exe 10->19         started        22 cmd.exe 1 10->22         started        24 rundll32.exe 10->24         started        26 2 other processes 10->26 process5 dnsIp6 91 Writes to foreign memory regions 19->91 93 Allocates memory in foreign processes 19->93 29 wermgr.exe 19->29         started        33 rundll32.exe 22->33         started        35 wermgr.exe 24->35         started        59 200.236.218.62, 443, 49745, 49754 TelecomSouthAmericaSABR Brazil 26->59 61 190.109.204.126, 443, 49756, 49764 METROREDSADECVHN Honduras 26->61 63 8 other IPs or domains 26->63 37 iexplore.exe 150 26->37         started        39 cmd.exe 26->39         started        signatures7 process8 dnsIp9 71 116.212.152.225, 443, 49757 MEKONGNET-ADC-AS-APANGKORDATACOMMUNICATIONKH Cambodia 29->71 73 177.10.90.29, 443, 49739, 49755 ATPDATABR Brazil 29->73 79 6 other IPs or domains 29->79 101 Tries to detect virtualization through RDTSC time measurements 29->101 103 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 29->103 41 cmd.exe 29->41         started        105 Writes to foreign memory regions 33->105 107 Allocates memory in foreign processes 33->107 43 wermgr.exe 33->43         started        75 118.173.233.64, 443, 49742 TOT-NETTOTPublicCompanyLimitedTH Thailand 35->75 77 222.124.16.74, 443, 49758, 49762 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 35->77 81 7 other IPs or domains 35->81 47 cmd.exe 35->47         started        83 10 other IPs or domains 37->83 49 conhost.exe 39->49         started        signatures10 process11 dnsIp12 51 conhost.exe 41->51         started        65 45.239.234.2, 443, 49740 SPEEDNETFRUTALNETFIBRAEWIRELESSBR Brazil 43->65 67 41.57.156.203, 443, 49759, 49763 BCSNETZA South Africa 43->67 69 9 other IPs or domains 43->69 99 Writes to foreign memory regions 43->99 53 cmd.exe 43->53         started        55 conhost.exe 47->55         started        signatures13 process14 process15 57 conhost.exe 53->57         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 18:52:08 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohlkhzg3eukr4wochlgbjlwchcdvsq7vxgp4c4awfv4larh75q7q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed
TrickBot
1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
TrickBot
26f3b97dfdcffc516a890f5e0bd3539c63603c26bea8298e7376ab9f9b53433a
TrickBot
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
TrickBot
7f77b60f4ba221f7a29938d0b3e8f568a4ecb4f010a122770a4173cd96d32c4e
TrickBot
87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4
TrickBot
896b649c68a4c744c0bcab8c1918732ef1c82bb51ffaea777d3035867bd2787a
TrickBot
9daa699ecef632ab2f605bd6917c410f676b22bd173f6ad4ed567fa4ce66d909
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
+ 796 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:zev1 banker trojan
Link:
https://tria.ge/reports/210709-xwdf2nf6r2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
Unpacked files
SH256 hash:
a7df15d790b91b25febb65968e7bcb486d81d242420a8521577768ace8639d5b
MD5 hash:
6d64154f5f11cbf593cbece2c7a27fa7
SHA1 hash:
0053f087cad52af4f3d30efc6a2823ef86480584
Link:
https://www.unpac.me/results/77a8657d-7e88-41d2-b2eb-3adc6fd558ca/
SH256 hash:
c0f112527ca911ec567f3e5800d4a836dacb6643b7102b1a68c22643c12bbf68
MD5 hash:
13444c344d0b9de5553c334f3af3b5b2
SHA1 hash:
581dcf5b78cfbc8433b93907baabf5b2a60fc566
Link:
https://www.unpac.me/results/77a8657d-7e88-41d2-b2eb-3adc6fd558ca/
SH256 hash:
dcce177d756ec596f899db4aafef26cabaf6e85841639a6306eecdd7a8d20120
MD5 hash:
56b6319d6a2d036db4a3901d3b6ec02c
SHA1 hash:
9d208049c56030c05346dd919a3d6c9f17d91f61
Link:
https://www.unpac.me/results/77a8657d-7e88-41d2-b2eb-3adc6fd558ca/
SH256 hash:
8442343d210f5b6642c924b7c6264ef60ba8eb1b7696b9eeee0fcd70149139db
MD5 hash:
cf2706a91fd69cd11f2b2405889fe31d
SHA1 hash:
dc78cd9e1f22ec673ec5791ab54c0a163e0ac7c7
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/77a8657d-7e88-41d2-b2eb-3adc6fd558ca/
SH256 hash:
71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f
MD5 hash:
0de9a282af4e4ddd7811760ed4693a0d
SHA1 hash:
75ec793fca165eec14e23fca515ce156ff7891b1
Link:
https://www.unpac.me/results/77a8657d-7e88-41d2-b2eb-3adc6fd558ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170735/

Comments