MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5
SHA3-384 hash: 49d807b1e568f325ea8b0ecc222e85bb88943db62957478357795f4e1e4065bccda2ae693088272bdee320f8c1e60e86
SHA1 hash: ce17868a5cfd8cf70a44185776c1e019581be161
MD5 hash: 3c63702d60a6a7fed77d574858f1f2b3
humanhash: mockingbird-washington-indigo-massachusetts
File name:3c63702d60a6a7fed77d574858f1f2b3.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'180'672 bytes
First seen:2021-08-22 15:01:43 UTC
Last seen:2021-08-22 16:03:40 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 05bc8af9bf5c786dfa8271d68f7b9019 (4 x TrickBot)
ssdeep 12288:KtbEazZXGqs9onpRXBTlTGkxiLU6iRW9vLYHILxKdWIT09VuObClb4cCwOBCkjZl:KbEqXGo7BTlT0AdqYHILxCv/U1
Threatray 1'159 similar samples on MalwareBazaar
TLSH T1C6459D1136D4C076D27A35B1451AE7BA26E9A8315FF682CB6FD41E3D1F346C29A3830B
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181267/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46842577.29179.17299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2e6b775-3911-4a27-afa9-32d4c653d4bf
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837087
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 469516 Sample: KHe5xSALc9.dll Startdate: 22/08/2021 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Found malware configuration 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 5 other signatures 2->93 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 9->20         started        22 rundll32.exe 11->22         started        signatures5 24 rundll32.exe 15->24         started        79 Writes to foreign memory regions 17->79 81 Allocates memory in foreign processes 17->81 83 Queues an APC in another process (thread injection) 17->83 85 Delayed program exit found 17->85 27 wermgr.exe 17->27         started        30 cmd.exe 17->30         started        32 wermgr.exe 20->32         started        34 cmd.exe 20->34         started        36 wermgr.exe 22->36         started        38 cmd.exe 22->38         started        process6 dnsIp7 97 Writes to foreign memory regions 24->97 99 Allocates memory in foreign processes 24->99 40 wermgr.exe 3 24->40         started        45 cmd.exe 24->45         started        73 60.51.47.65, 443, 49709, 49722 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 27->73 75 5.152.175.57, 443, 49723 SKYLOGIC-ASIT Spain 27->75 77 6 other IPs or domains 27->77 101 May check the online IP address of the machine 27->101 103 Tries to detect virtualization through RDTSC time measurements 27->103 105 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 27->105 47 svchost.exe 27->47         started        signatures8 process9 dnsIp10 67 185.56.175.122, 443, 49710, 49718 VIRTUAOPERATOR-ASPL Poland 40->67 69 105.27.205.34, 443, 49719 SEACOM-ASMU Mauritius 40->69 71 6 other IPs or domains 40->71 65 C:\Users\user\AppData\...\fpKHe5xSALc9hf.dmo, PE32 40->65 dropped 107 Hijacks the control flow in another process 40->107 109 Writes to foreign memory regions 40->109 49 svchost.exe 5 40->49         started        53 svchost.exe 40->53         started        55 svchost.exe 40->55         started        file11 signatures12 process13 file14 57 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 49->57 dropped 59 C:\Users\user\AppData\...\Login Data.bak, SQLite 49->59 dropped 61 C:\Users\user\AppData\Local\...\History.bak, SQLite 49->61 dropped 63 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 49->63 dropped 95 Tries to harvest and steal browser information (history, passwords, etc) 49->95 signatures15
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-22 01:43:54 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxyfpuwdpqgnhjwyyew4oc3x3by3lucp26qto7txelrtykmamdcq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
33fcd639567316ceffba1be151d878ece3af93f5a6949be1387d3c98435c5bf9
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
9c8e26bdf89634254162a5529bd2c8c3bc4c2215be3d7cb39a47fcd0327c045d
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
+ 1'149 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob125 banker trojan
Link:
https://tria.ge/reports/210822-xl326lxdex/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
667dec1d877b05e74694224bd9612c4c5639e7e5eb9370bb3c4bab04945ac579
MD5 hash:
637d8774ce9c85a5f9880078f18ce461
SHA1 hash:
a3c05d198c3f7ec5162d0b2ec0be4c78dbb547a4
Link:
https://www.unpac.me/results/d5e9308e-377d-4efa-820c-f2003886b824/
SH256 hash:
ce61b15cc9513c1f7cbb74fa4222feea49d7899c3b253915c083bca0bee8d67f
MD5 hash:
8c7f1ca38ac2fc31d4a07bf8274e9fa2
SHA1 hash:
8f0f67bd9d46eed8a1bf7559fae8de6210ec6cca
Link:
https://www.unpac.me/results/d5e9308e-377d-4efa-820c-f2003886b824/
SH256 hash:
fe452401869013c2a0bbd767e7b13ccd57e09eff4185a9cf1a7e4d2b1e8f69bf
MD5 hash:
9bd90889f3d69beaa81490e37d0ab7f2
SHA1 hash:
643452d9626813face64787f7cdb0bf59808b0f3
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5e9308e-377d-4efa-820c-f2003886b824/
Parent samples :
33fcd639567316ceffba1be151d878ece3af93f5a6949be1387d3c98435c5bf9
85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5
03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201
ff2e1604b5ab04fc43039d5f94d08073f756115b1018846a253c0ad93ed94f8b
SH256 hash:
28204ec5cb8df6974e6a6c648b0769de16bdbc837296870d2ea5e06f824d7857
MD5 hash:
a6499c0f09a39a97012f1b872569cab5
SHA1 hash:
59deccf6178cf8ef4f120aa464dfd87c05aee8e7
Link:
https://www.unpac.me/results/d5e9308e-377d-4efa-820c-f2003886b824/
SH256 hash:
85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5
MD5 hash:
3c63702d60a6a7fed77d574858f1f2b3
SHA1 hash:
ce17868a5cfd8cf70a44185776c1e019581be161
Link:
https://www.unpac.me/results/d5e9308e-377d-4efa-820c-f2003886b824/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/85f057d2c37c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1552526/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181267/

Comments