MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
SHA3-384 hash: 1917877a897d85b282ca5e8bdaa9ac9219d7c4b7dc53fcb36d9c271f64ae1a67e5367ae68d09349f9a9531de8f3b95f9
SHA1 hash: bd5a73297ad86d1df83018e848cc0250a30d1fe9
MD5 hash: 2ab4cc984ec0b93b82c0e4bf03aa8c5f
humanhash: autumn-pennsylvania-quebec-oranges
File name:IMG_837.JPG
Download: download sample
Signature TrickBot
Create hunting rule
File size:700'461 bytes
First seen:2021-08-04 13:59:00 UTC
Last seen:2021-08-04 17:13:17 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c1c817cc4859bdc7f1c0c1a9b8c92160 (1 x TrickBot)
ssdeep 12288:P/0oFwB5C7k70pW2OS2QRT8hr+4gT4FpawCi0:EoFS5C6H2OSpK6wpaXi0
Threatray 3'679 similar samples on MalwareBazaar
TLSH T1CDE4BF01F9E38432D6AB42341BA2FB7167F8AC552762E3C75BC0DD1B3A369C215396B1
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll rob120 TrickBot


Avatar
abuse_ch
Payload URLs:
https://files.zohoexternal.com/public/workdrive-external/download/ggi8w3183a1077e104d07a84291d0d5dcc1de
http://asesoriasconfood.com.co/magazine/magazine.php

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176369/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2061.15040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbca3d16-70dc-4f51-baf3-1b4acc15b61d
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
21 / 100
Link:
https://www.joesandbox.com/analysis/826896
Signature
Initial sample is a PE file and has a suspicious name
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 13:59:06 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
TrickBot
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
TrickBot
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
TrickBot
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
TrickBot
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
TrickBot
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
TrickBot
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
TrickBot
dbdf67590cfb1a76b02700a7c91c11ddf0c75f5963e6d56020e983e15a65c5d9
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
+ 3'669 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob120 banker trojan
Link:
https://tria.ge/reports/210804-y2m5dpv7d2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
ff33a9ed8fbbc95cf9d20e1e8798c27ab07be69e76411b430c991285b03f1f47
MD5 hash:
53255326d92a57a956a9addcdfef6c86
SHA1 hash:
b9f3b7146590551ffde93de03a6156c87f09ad21
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8f88d896-95d3-48b8-b633-1edb7f8f3338/
Parent samples :
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
SH256 hash:
1b6a7c006c786d4d5bf9bb6d965d6fb867b1cdbc52ab759cf9dbd2325add2d4c
MD5 hash:
965069c8b0a921a1d07e87a4a43176e1
SHA1 hash:
7cbfca6509aecc0b465a6fe04dfdf12eeb96bf6a
Link:
https://www.unpac.me/results/8f88d896-95d3-48b8-b633-1edb7f8f3338/
SH256 hash:
f0cd6c49e7afe877f2351a00e9b5cdb5fe39053d912940aa0825f7903372876c
MD5 hash:
7eaf2441e9508dff4c89e1557cbdb166
SHA1 hash:
61e414671292c73dd7b513616d72c040178125e0
Link:
https://www.unpac.me/results/8f88d896-95d3-48b8-b633-1edb7f8f3338/
SH256 hash:
a3114d98111c3494dda9d836cbd7d9f9f579da5cef03c571b15b84b097ab2ac8
MD5 hash:
ee0546cb011d23cf282ae6f5e73f803a
SHA1 hash:
1515d642b464d848e55eaac7b5f18daf6357a9c3
Link:
https://www.unpac.me/results/8f88d896-95d3-48b8-b633-1edb7f8f3338/
SH256 hash:
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
MD5 hash:
2ab4cc984ec0b93b82c0e4bf03aa8c5f
SHA1 hash:
bd5a73297ad86d1df83018e848cc0250a30d1fe9
Link:
https://www.unpac.me/results/8f88d896-95d3-48b8-b633-1edb7f8f3338/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/892a84154516/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Java Script (JS) js 6fa679b595a6942226944f98077bbe75040a77db3b1c5ebdac4542ecad57bfbc

TrickBot

DLL dll 892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1505346/
  
Dropped by
SHA256 6fa679b595a6942226944f98077bbe75040a77db3b1c5ebdac4542ecad57bfbc
  
Dropped by
MD5 ffda87ae8127e7b6b061ac1f9c589d16
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176369/

Comments