MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
SHA3-384 hash: 0ee859a6dba0e1f163b3ba2989c988b76394245d6e65bce98bfc3bf9c1fb65bc2ac31cd6ce2a9b3f4fe82d57a49924ae
SHA1 hash: 99454df8089d75fa6a219d497b2c73fa67e827c7
MD5 hash: 32f0b80eb20e7140b7ae490ee7161113
humanhash: two-blue-march-florida
File name:redtank.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:397'355 bytes
First seen:2021-08-19 04:54:38 UTC
Last seen:2021-08-19 06:10:03 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 89aafe32fea223936c5c233bf06df6d3 (4 x TrickBot)
ssdeep 6144:vW3hP/F9A3hAfKKC64zROB6NBbTN+qGfhI6zSRZKhoRli2fFzs:vWRHAhAfKbRO6NBbTMp/STKhoHi2fFzs
Threatray 1'528 similar samples on MalwareBazaar
TLSH T17B84E062F1D600B6CDBB5AB4082F2AB2CEB52D485BE44BCF1F94EA8F10375D19532355
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter ankit_anubhav
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180503/
Detection(s):
SecuriteInfo.com.Artemis32F0B80EB20E.6175.9223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc1c2513-f255-41cd-a86c-f00d7ce8997a
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835492
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Performs a network lookup / discovery via net view
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467923 Sample: redtank.dll Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Found malware configuration 2->107 109 3 other signatures 2->109 11 loaddll32.exe 1 2->11         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 process4 17 rundll32.exe 11->17         started        20 cmd.exe 1 11->20         started        22 rundll32.exe 11->22         started        signatures5 97 Writes to foreign memory regions 17->97 99 Allocates memory in foreign processes 17->99 101 Delayed program exit found 17->101 24 wermgr.exe 3 17->24         started        29 cmd.exe 17->29         started        31 rundll32.exe 20->31         started        33 wermgr.exe 22->33         started        35 cmd.exe 22->35         started        process6 dnsIp7 85 179.189.229.254, 443, 49724, 49728 America-NETLtdaBR Brazil 24->85 87 221.147.172.5, 443, 49729 KIXS-AS-KRKoreaTelecomKR Korea Republic of 24->87 89 6 other IPs or domains 24->89 83 C:\Users\user\AppData\...\vzredtankfp.dmo, PE32 24->83 dropped 121 Hijacks the control flow in another process 24->121 123 May check the online IP address of the machine 24->123 125 Writes to foreign memory regions 24->125 129 2 other signatures 24->129 37 svchost.exe 24->37         started        39 svchost.exe 5 24->39         started        43 svchost.exe 24->43         started        127 Allocates memory in foreign processes 31->127 45 wermgr.exe 31->45         started        48 cmd.exe 31->48         started        file8 signatures9 process10 dnsIp11 50 cmd.exe 1 37->50         started        53 cmd.exe 1 37->53         started        55 cmd.exe 1 37->55         started        75 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 39->75 dropped 77 C:\Users\user\AppData\...\Login Data.bak, SQLite 39->77 dropped 79 C:\Users\user\AppData\Local\...\History.bak, SQLite 39->79 dropped 81 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 39->81 dropped 117 Tries to harvest and steal browser information (history, passwords, etc) 39->117 91 185.56.175.122, 443, 49732, 49734 VIRTUAOPERATOR-ASPL Poland 45->91 93 5.152.175.57, 443, 49735 SKYLOGIC-ASIT Spain 45->93 95 7 other IPs or domains 45->95 119 Writes to foreign memory regions 45->119 57 svchost.exe 1 45->57         started        59 svchost.exe 45->59         started        file12 signatures13 process14 signatures15 111 Uses net.exe to modify the status of services 50->111 113 Uses ipconfig to lookup or modify the Windows network settings 50->113 115 Performs a network lookup / discovery via net view 50->115 61 conhost.exe 50->61         started        63 ipconfig.exe 1 50->63         started        65 conhost.exe 53->65         started        67 net.exe 1 53->67         started        69 net.exe 1 55->69         started        71 conhost.exe 55->71         started        process16 process17 73 net1.exe 1 69->73         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 04:55:06 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
145922b0a4d90db4438ca924535a6f058472744a29b3a4f2875846a84bd41b99
TrickBot
2181358d62d130161a6a06e4b3a9081a2da06a363f6918a5b1345c36775bb315
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
ff460f5b7a62a1fcd51e82bf43fc7b5264552c53e3924ffb771d7c8355a99ade
TrickBot
+ 1'518 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob122 banker trojan
Link:
https://tria.ge/reports/210819-14jcbd2atj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
2b1486851660e075c92aa7d897d7772f09f4a28f00493af4e16d9539dd03f2d5
MD5 hash:
08a3e3e5f6ffbd21e1c997d1680329a2
SHA1 hash:
c7934cf033056c2bb41b8c632d1d09850445923f
Link:
https://www.unpac.me/results/1299b163-e3e6-482c-bbc4-f405ce941e08/
SH256 hash:
e18e981ed0ce0fbae5a9e779dc079912c76579f2d263b06a2ad0ae2aa9650371
MD5 hash:
1376d8eae859c63397f2b893a8aa2f41
SHA1 hash:
c528ec9eec33311caa802f0c8c348f5455f942fa
Link:
https://www.unpac.me/results/1299b163-e3e6-482c-bbc4-f405ce941e08/
SH256 hash:
d252d3b6a54c92fa72aca6b1f6ab8f496bf3cf8fd26b896119833049ea838a04
MD5 hash:
1247b0034cbbbe01806723a4c7e1049c
SHA1 hash:
67dd211e1fc07c6f6237919981c4e9567d35bc05
Link:
https://www.unpac.me/results/1299b163-e3e6-482c-bbc4-f405ce941e08/
SH256 hash:
607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2
MD5 hash:
b3de5e4b04465abeff5029931234f2b4
SHA1 hash:
341533cf70a4f74f3bf9313ba9570d7930bb2f9b
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1299b163-e3e6-482c-bbc4-f405ce941e08/
Parent samples :
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
9c8e26bdf89634254162a5529bd2c8c3bc4c2215be3d7cb39a47fcd0327c045d
SH256 hash:
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
MD5 hash:
32f0b80eb20e7140b7ae490ee7161113
SHA1 hash:
99454df8089d75fa6a219d497b2c73fa67e827c7
Link:
https://www.unpac.me/results/1299b163-e3e6-482c-bbc4-f405ce941e08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

DLL dll 82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180503/

Comments