MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
SHA3-384 hash: f59bc5e90aa2458d80c6808892d15396358e38a0951d3ef2bed03552e49b38a8db25d2ab60dfec15de0880c82af7d89f
SHA1 hash: ecb9bc6117c3c619901055206b3fcc9c70a9d330
MD5 hash: 35874bb0db7d5712d1dfa229f8033aab
humanhash: east-table-sad-arizona
File name:aredplane.png
Download: download sample
Signature TrickBot
Create hunting rule
File size:602'112 bytes
First seen:2021-10-19 14:52:53 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a41e602f2bd2d3f2d246378f964f4626 (4 x TrickBot)
ssdeep 12288:mpE9ujlV704/VaAvamomBZXflcChftF0A61dZmwp22lFn42:8E0jlu4NawvdRF0rDp2OFnl
Threatray 4'267 similar samples on MalwareBazaar
TLSH T1FFD4D003B2E0C036C2EF1234AD566B9576FDFC605AF5C687AB807B4D2E31AC15A35369
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll rob136 TrickBot


Avatar
abuse_ch
TrickBot payload URL:
http://195.133.192.72/images/aredplane.png

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198593/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.15341.23351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/616edbd0db358dd15ec4fc7b/reports/c4341263-003e-4783-8364-c99cb71bf1b8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c576391-ef59-487f-a129-8316e0fb16da
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/873377
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505812 Sample: aredplane.png Startdate: 19/10/2021 Architecture: WINDOWS Score: 92 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Trickbot 2->39 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        signatures5 51 Writes to foreign memory regions 10->51 53 Allocates memory in foreign processes 10->53 55 Queues an APC in another process (thread injection) 10->55 57 Delayed program exit found 10->57 17 wermgr.exe 10->17         started        21 cmd.exe 10->21         started        23 rundll32.exe 13->23         started        25 wermgr.exe 15->25         started        27 cmd.exe 15->27         started        process6 dnsIp7 33 65.152.201.203, 443, 49752, 49835 CENTURYLINK-US-LEGACY-QWESTUS United States 17->33 41 Found potential dummy code loops (likely to delay analysis) 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 45 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 17->45 47 Writes to foreign memory regions 23->47 49 Allocates memory in foreign processes 23->49 29 wermgr.exe 23->29         started        31 cmd.exe 23->31         started        signatures8 process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 14:53:06 UTC
AV detection:
10 of 26 (38.46%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31
TrickBot
14da4c490e00343fde9db5a283c5b2f36d9699e5b5ef6df7f40ff51f97cbe8fe
TrickBot
26a6d15bb16939076bf726e4e573b2519f7fa222c35a3b5361d9c208a10b284b
TrickBot
6cdc36e5c8774b62bbeeaa2141af5fd3c9c5ca33e0197e6301f76f23e59e9e22
TrickBot
6db7642e42467842b97947426d78418e58c1e0b25f125ce0faa8bfa6436a70b2
TrickBot
8535cee5617eb72238f813ef3ae9884558c79cfdce04125e1adec30091e7a7b3
TrickBot
9e470e0dec1667c6c05aed506db5d6bfbfc0ee313627531aaffccc3c0a72f8b2
TrickBot
be6f52a5ec95249cc20be5224a6c1e759e06a447c7996b98d063308d3077a2d0
TrickBot
decd474e4c808ac1a3255e1b6aecab359028bbadb6852f9ff70b33fdea648978
TrickBot
+ 4'257 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob136 banker trojan
Link:
https://tria.ge/reports/211019-r9atjagae8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
20ba144cbdba3238cc8228d892e916e6351a0f2be0cdabb7d94251f305273bcc
MD5 hash:
a933bc0f73dff2461239e83c7f1e25c9
SHA1 hash:
f35590e8506d63f21dada76efb4183d706db1dd2
Link:
https://www.unpac.me/results/7803ffb7-5634-4c86-b604-bcc08b44188d/
SH256 hash:
26f76f22131d7c79defb400bc80755ca66cc1a072e3cb6e1613b8d780a171665
MD5 hash:
d09b00e792418eb8c2b5a52d0f2f2ac6
SHA1 hash:
b6706842a5cdbb3d4d49e664fa4caa49afc691ec
Link:
https://www.unpac.me/results/7803ffb7-5634-4c86-b604-bcc08b44188d/
SH256 hash:
fe4113b32c3d774ac5210a04b6e0e339a93770edb97bfd004e1f5448ccba851d
MD5 hash:
4be9f19c34ee551f4c889f1c2f0fd469
SHA1 hash:
992d028dedbec8de291552613eccc39b96dd5d17
Link:
https://www.unpac.me/results/7803ffb7-5634-4c86-b604-bcc08b44188d/
SH256 hash:
b2c4e3e3eacf501232242e9a340dfe29776ae79685e5cb7bdb25dcb168c793c3
MD5 hash:
5003d5e55f514b8f18d0c3b5d2942e2c
SHA1 hash:
5a197cabd54e8fdc40ee1bbce711ed3879d0089f
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7803ffb7-5634-4c86-b604-bcc08b44188d/
Parent samples :
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
af7526d30d40da60e83b0423f338f0740886321eadaae86ce16c10af44e44c3e
c0c4cf3a74e70f837e73f44ed95789946b02de457b6155ddc4e14a9441f92048
4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
SH256 hash:
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
MD5 hash:
35874bb0db7d5712d1dfa229f8033aab
SHA1 hash:
ecb9bc6117c3c619901055206b3fcc9c70a9d330
Link:
https://www.unpac.me/results/7803ffb7-5634-4c86-b604-bcc08b44188d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/968a796e04e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xlsm 056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31

TrickBot

DLL dll 968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1696421/
  
Dropped by
MD5 dc05be7a3a80a8361cebded08ba1ad6f
  
Dropped by
SHA256 056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198593/

Comments