MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
SHA3-384 hash: 309844f278497aa97bddf4f607558ccb0c0ca487a03688d4ffd791bc98333d94028b6b66de253fc1d309983c379fcf1a
SHA1 hash: 51f2d352e1f67924c5351c59941e86ecd7972c16
MD5 hash: 59ec367995c6cf649ab2a6d280836e31
humanhash: cat-winner-carolina-gee
File name:113_ColourPickDemo.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:380'928 bytes
First seen:2021-07-29 06:12:49 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 93c8be65f795f8d5eaeffa41b2fede54 (1 x TrickBot)
ssdeep 6144:qMAkbRLPcME7axCCXBqHhVEEX/Pw/Q4EbOZwBaqaQaf4+OlHB7VOolFu0JRLdInR:qpkbRLPcMEBZz3aq8Q7HVfl/byndPn
Threatray 907 similar samples on MalwareBazaar
TLSH T13E84F10272E48472D1AE067D1E7AE726A7BBFD60CEF1CB831B501B5E5C325515E2A323
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter JoulK
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174871/
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/239b82a8-392c-4172-8c74-15482d1d7208
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823572
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455984 Sample: 113_ColourPickDemo.dll Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 69 68.150.189.185.zen.spamhaus.org 2->69 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Found malware configuration 2->95 97 Multi AV Scanner detection for dropped file 2->97 99 4 other signatures 2->99 11 loaddll32.exe 1 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 process5 17 rundll32.exe 11->17         started        20 cmd.exe 1 11->20         started        22 rundll32.exe 11->22         started        24 rundll32.exe 13->24         started        signatures6 89 Writes to foreign memory regions 17->89 91 Allocates memory in foreign processes 17->91 26 wermgr.exe 17->26         started        30 cmd.exe 17->30         started        32 rundll32.exe 20->32         started        34 wermgr.exe 22->34         started        36 cmd.exe 22->36         started        38 wermgr.exe 24->38         started        40 cmd.exe 24->40         started        process7 dnsIp8 71 60.51.47.65, 443, 49718, 49732 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 26->71 73 182.253.210.130, 443, 49736, 49782 BIZNET-AS-APBIZNETNETWORKSID Indonesia 26->73 75 7 other IPs or domains 26->75 101 Hijacks the control flow in another process 26->101 103 May check the online IP address of the machine 26->103 105 Writes to foreign memory regions 26->105 109 2 other signatures 26->109 42 cmd.exe 11 26->42         started        47 cmd.exe 1 26->47         started        107 Allocates memory in foreign processes 32->107 49 wermgr.exe 3 32->49         started        51 cmd.exe 32->51         started        signatures9 process10 dnsIp11 77 94.140.114.239, 443, 49784 NANO-ASLV Latvia 42->77 79 194.15.113.73, 443 INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB Ukraine 42->79 81 194.135.33.220, 443, 49783 ASBAXETNRU Russian Federation 42->81 61 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 42->61 dropped 63 C:\Users\user\AppData\...\Login Data.bak, SQLite 42->63 dropped 65 C:\Users\user\AppData\Local\...\History.bak, SQLite 42->65 dropped 111 Tries to harvest and steal browser information (history, passwords, etc) 42->111 53 conhost.exe 42->53         started        55 conhost.exe 47->55         started        83 204.138.26.60, 443, 49724 NTT-COMMUNICATIONS-2914US United States 49->83 85 217.115.240.248, 443, 49743 MGICZMGIautonomoussystemCzechRepublicCZ Czech Republic 49->85 87 18 other IPs or domains 49->87 67 C:\Users\user\...\hb113_ColourPickDemopd.grf, PE32 49->67 dropped 113 Writes to foreign memory regions 49->113 57 cmd.exe 1 49->57         started        file12 signatures13 process14 process15 59 conhost.exe 57->59         started       
Gathering data
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 17:50:35 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
TrickBot
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
TrickBot
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
TrickBot
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
TrickBot
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
TrickBot
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
TrickBot
+ 897 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob113 banker trojan
Link:
https://tria.ge/reports/210729-6h78px9f3j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
25939f03c43151ec5474f746fc71510fb6abe8b5e41da44fef74b6bc806e26b4
MD5 hash:
14e049a9f6cf9749165621c26365931b
SHA1 hash:
7644a353908969fa261f656c79c6050ef8b76eb3
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbeb182c-5868-4e3a-95a4-6c67d322e7c6/
Parent samples :
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
25939f03c43151ec5474f746fc71510fb6abe8b5e41da44fef74b6bc806e26b4
SH256 hash:
43978a32d4de3ef545eaa774298a1571f2f9ce7e92ab6a42f32149b5d799c342
MD5 hash:
b661c92f398d593877686dbf352adbae
SHA1 hash:
87281389608b208fc2210800d7d98f37a031fd2e
Link:
https://www.unpac.me/results/bbeb182c-5868-4e3a-95a4-6c67d322e7c6/
SH256 hash:
30755d82b4927fad68c4cc8011c8bed7839a589dd57c6f59aa437915fc5cde7f
MD5 hash:
231a0ffe28e263b54b7fc0d031a37ba7
SHA1 hash:
8ea4c8c631149b9f08cccd7be9b8f4ee96bee750
Link:
https://www.unpac.me/results/bbeb182c-5868-4e3a-95a4-6c67d322e7c6/
SH256 hash:
8ace1f3a84938eb6298c3d923a32b6244db78c4016815d0ddfd86e9a0d387d9f
MD5 hash:
4b5ee9abde1e227a04c2048aaa3878d8
SHA1 hash:
9a7f72f69fc66d2aac0687f272d7c242e16fd4ec
Link:
https://www.unpac.me/results/bbeb182c-5868-4e3a-95a4-6c67d322e7c6/
SH256 hash:
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
MD5 hash:
59ec367995c6cf649ab2a6d280836e31
SHA1 hash:
51f2d352e1f67924c5351c59941e86ecd7972c16
Link:
https://www.unpac.me/results/bbeb182c-5868-4e3a-95a4-6c67d322e7c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174871/

Comments