MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
SHA3-384 hash: 109e10bfe8d04f909f850b3ea00f2c3414539afe7229dd25c1c1e1e2b3252d179c03490941ebd9f54bdc5b1f43406cbb
SHA1 hash: f9274e33dc0ce645c108b277a6a4c016872bf58a
MD5 hash: c7ea77da6e9c68fa54bbb11c1b12818b
humanhash: burger-illinois-romeo-muppet
File name:f9274e33dc0ce645c108b277a6a4c016872bf58a.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:692'224 bytes
First seen:2021-07-28 21:49:23 UTC
Last seen:2021-07-28 22:38:21 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4d18aa629d32fc1418d2c36b6b3e2391 (1 x TrickBot)
ssdeep 6144:h+AkE7yH5CFIVOTdH3Pb+yeAOpn2SB4VNNvpnGYXqnHeMDpFNHrUQTBzu:9wPUdH3Pb+yeXJOvPX2eM1HrUQTBz
Threatray 905 similar samples on MalwareBazaar
TLSH T1BCE4D70022C4667ECC76003ED96943B527D5E8343676EE72FA81FE78F6920916B5BD83
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter Anonymous
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174845/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.29868.1261.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05ccc771-4d41-4c85-b456-abae5475a0ae
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/823492
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455901 Sample: zLLmhY59MT.dll Startdate: 28/07/2021 Architecture: WINDOWS Score: 96 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Yara detected Trickbot 2->69 71 Sigma detected: CobaltStrike Load by Rundll32 2->71 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 61 Writes to foreign memory regions 16->61 63 Allocates memory in foreign processes 16->63 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 55 217.115.240.248, 443, 49762 MGICZMGIautonomoussystemCzechRepublicCZ Czech Republic 23->55 57 ipecho.net 34.117.59.81, 49767, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->57 59 12 other IPs or domains 23->59 77 May check the online IP address of the machine 23->77 79 Writes to foreign memory regions 23->79 81 Tries to detect virtualization through RDTSC time measurements 23->81 83 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->83 35 cmd.exe 1 23->35         started        85 Allocates memory in foreign processes 29->85 37 wermgr.exe 29->37         started        41 cmd.exe 29->41         started        signatures8 process9 dnsIp10 43 conhost.exe 35->43         started        49 24.162.214.166, 443, 49745, 49750 TWC-11427-TEXASUS United States 37->49 51 38.110.103.124, 443, 49742 BELAIR-TECHNOLOGIESCA United States 37->51 53 7 other IPs or domains 37->53 73 Hijacks the control flow in another process 37->73 75 Writes to foreign memory regions 37->75 45 cmd.exe 1 37->45         started        signatures11 process12 process13 47 conhost.exe 45->47         started       
Gathering data
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1821f9759c9ebfca686106002abb3601e79f82993af834155a8abb68681aa89a
TrickBot
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549
TrickBot
9da8a5a0b5957db6112e927b607a8fd062b870f2132c4ae3442eb63235f789e1
TrickBot
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
TrickBot
ab31cadce548ff34783ae6a838a3ece8484f4c96b02de8c9b314c0f96c064ab7
TrickBot
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
TrickBot
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
TrickBot
+ 895 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob115 banker trojan
Link:
https://tria.ge/reports/210728-ys41srw4ss/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
3547459db812984b37f17183941003219f0d3445f78556e103027f4038c5b68a
MD5 hash:
c2c82860a57e6ccf93f7ad4823217993
SHA1 hash:
7845f3b947d2cdcf7028cf422357a6c04e8ae380
Link:
https://www.unpac.me/results/8c2d608f-dec0-4c97-99d5-6511a4861d94/
SH256 hash:
4af815593add13b7bf287b7d7c5c8d5fb921558a4c6e995f364d3633560cd0ee
MD5 hash:
004238f561a2d0ee306b53e12600b945
SHA1 hash:
4111cd6316d3e5b1fbe06d4fc416d1ba93e2d064
Link:
https://www.unpac.me/results/8c2d608f-dec0-4c97-99d5-6511a4861d94/
SH256 hash:
057bedc962e9fa042cda0980689a3e46169e66bcc55e534b4b362f54e301ce1b
MD5 hash:
caf8aa38a98b1499e4069262711dd1e4
SHA1 hash:
3af9114bb050e3f191cb3a8c9458a531cf87ceb5
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c2d608f-dec0-4c97-99d5-6511a4861d94/
SH256 hash:
996a283277e953733b798d80a37834f138f903f482664720200a10c82ea855b2
MD5 hash:
150ce70371b829b7aa92b3b9f381d6d7
SHA1 hash:
37493f6ae2fbd4c0127bddd6ed92c07c0218f984
Link:
https://www.unpac.me/results/8c2d608f-dec0-4c97-99d5-6511a4861d94/
SH256 hash:
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
MD5 hash:
c7ea77da6e9c68fa54bbb11c1b12818b
SHA1 hash:
f9274e33dc0ce645c108b277a6a4c016872bf58a
Link:
https://www.unpac.me/results/8c2d608f-dec0-4c97-99d5-6511a4861d94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174845/

Comments