MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
SHA3-384 hash: 0a7dfcae04577f661e5e7150e08041fa6c19ed02bc68f7c415c48b902df9972797585b275f50bc6b9c3bb4b8bafad5bd
SHA1 hash: cf313578cee3999767c43dd28c77835957c033c6
MD5 hash: c0e07efbb0dd361490426661fe992f6f
humanhash: robin-eighteen-ten-delaware
File name:jobassistmentl.pdf
Download: download sample
Signature TrickBot
Create hunting rule
File size:708'608 bytes
First seen:2021-07-31 06:53:22 UTC
Last seen:2021-08-01 19:09:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a31d58fa029c31330a5f25a3035bb8bd (1 x TrickBot)
ssdeep 6144:53v6kfEPxw1S5sEMeJJFoZbNFcI+rvezdKH5FYMkxsZSdTs8Xc5n4:5/BEP+Qy7eJJa2qKZFhkxsZSdw8Xc5n
Threatray 3'665 similar samples on MalwareBazaar
TLSH T11FE42751BC93451EDC88253BDF1922ED8D69EE44BD68E3272A83FA0FB8B19C2D430D55
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter abuse_ch
Tags:dll rob116 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://blomsterhuset-villaflora.dk/assistant.php
https://docs.zohopublic.com/downloaddocument.do?docId=600ml7589188388eb422295079b3d65b001b6&docExtn=pdf

TrickBot C2s:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Intelligence

File Origin
# of uploads :
3
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175417/
Detection(s):
SecuriteInfo.com.generic.ml.12439.10345.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e5520f5-b24a-4fec-a691-9d9db8b57860
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/824832
Signature
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457244 Sample: jobassistmentl.pdf Startdate: 31/07/2021 Architecture: WINDOWS Score: 22 20 Initial sample is a PE file and has a suspicious name 2->20 7 AcroRd32.exe 37 2->7         started        process3 process4 9 RdrCEF.exe 44 7->9         started        12 AcroRd32.exe 2 5 7->12         started        dnsIp5 18 192.168.2.1 unknown unknown 9->18 14 RdrCEF.exe 9->14         started        16 RdrCEF.exe 9->16         started        process6
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 06:39:56 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
TrickBot
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
TrickBot
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
TrickBot
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
TrickBot
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
TrickBot
dbdf67590cfb1a76b02700a7c91c11ddf0c75f5963e6d56020e983e15a65c5d9
TrickBot
+ 3'655 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob116 banker trojan
Link:
https://tria.ge/reports/210731-9sjw6ct5de/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
b18dfe371a14f62ecb632e70409857751f62c1d4fe4134bfee6a8f12bb945889
MD5 hash:
43afbcfa56885feb90e9fc6e2daaeccd
SHA1 hash:
fe529f33bf280a62a0130438db7d60224c83cdc2
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/89bc5629-9add-452e-9e56-431bb5a78f19/
Parent samples :
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
SH256 hash:
f026b00a10386a80277097ae0b89bc863ed3b3e95052a61a66bcbe4653f15f48
MD5 hash:
7829a07a84dac08e574a6bae3a5666bf
SHA1 hash:
d446ae124fb6436990216043d338192b774692e4
Link:
https://www.unpac.me/results/89bc5629-9add-452e-9e56-431bb5a78f19/
SH256 hash:
6579252ca0d676f188a70163e4030721c8062315450d542b15570976632cb03e
MD5 hash:
5bc54425e9325ccc584080eb0de6b96d
SHA1 hash:
53c3529481468d9e3fd2d098eba08e8bd187587a
Link:
https://www.unpac.me/results/89bc5629-9add-452e-9e56-431bb5a78f19/
SH256 hash:
87c1ca7971b89ae152837626c428a948fe30e5512f85abb6cd62077c3ad9f8e2
MD5 hash:
3ccbce04a94503fbdcde6c9c5513a188
SHA1 hash:
2a93cdd23e0ec6430c253efb41f53f85bfb8edf6
Link:
https://www.unpac.me/results/89bc5629-9add-452e-9e56-431bb5a78f19/
SH256 hash:
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
MD5 hash:
c0e07efbb0dd361490426661fe992f6f
SHA1 hash:
cf313578cee3999767c43dd28c77835957c033c6
Link:
https://www.unpac.me/results/89bc5629-9add-452e-9e56-431bb5a78f19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Java Script (JS) js 50fcf5022198f2f611b9732106b0af419a7c8994af4217df664fe1cbd7cbeeec

TrickBot

DLL dll 7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1494694/
  
Dropped by
SHA256 50fcf5022198f2f611b9732106b0af419a7c8994af4217df664fe1cbd7cbeeec
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175417/

Comments