MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726
SHA3-384 hash: ed9684bafaf225b257ed1157da8c0373fc0ec2eed3cc73faae00051253b20e9356511ad5d3250684f88858c87ebd4757
SHA1 hash: 87b15ed63220b199b72737eaf1d744300aefa34d
MD5 hash: 790eef2cd2b527c7350aa2f6800de31c
humanhash: island-princess-virginia-illinois
File name:790eef2cd2b527c7350aa2f6800de31c.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:861'696 bytes
First seen:2021-07-14 15:19:37 UTC
Last seen:2021-07-14 16:11:19 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a9b6c26936cbed29ffdd5c3c54f9fb9a (2 x TrickBot)
ssdeep 12288:Uq01h69yRiu1fctxoF+/o8qZPUvuTh2rS/IIsrb+msgaa+Wnw:Uq0syMu1CxoEo8nuSRbfsgF
Threatray 822 similar samples on MalwareBazaar
TLSH T14805BF12FEC19835E1AA1175CD36CFEC12A87E70FEE0862B6B847F5E6E32041B934655
Reporter abuse_ch
Tags:dll rob107 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171732/
Detection(s):
SecuriteInfo.com.LresultFromObject.30255.7687.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b169148a-efdf-4bae-a0b0-2b98ee8a9309
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/816459
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448870 Sample: 6kZeSToEoa.dll Startdate: 14/07/2021 Architecture: WINDOWS Score: 96 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Yara detected Trickbot 2->71 73 Sigma detected: CobaltStrike Load by Rundll32 2->73 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 61 Writes to foreign memory regions 16->61 63 Allocates memory in foreign processes 16->63 65 Delayed program exit found 16->65 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 55 148.235.154.164, 443, 49748 UninetSAdeCVMX Mexico 23->55 57 97.83.40.67, 443, 49726, 49739 CHARTER-20115US United States 23->57 59 12 other IPs or domains 23->59 77 May check the online IP address of the machine 23->77 79 Writes to foreign memory regions 23->79 81 Tries to detect virtualization through RDTSC time measurements 23->81 83 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->83 35 cmd.exe 1 23->35         started        85 Allocates memory in foreign processes 29->85 37 wermgr.exe 29->37         started        41 cmd.exe 29->41         started        signatures8 process9 dnsIp10 43 conhost.exe 35->43         started        49 185.81.51.44, 443, 49751 VIA-SMSLV Latvia 37->49 51 190.145.83.98, 443, 49769 TelmexColombiaSACO Colombia 37->51 53 14 other IPs or domains 37->53 75 Writes to foreign memory regions 37->75 45 cmd.exe 1 37->45         started        signatures11 process12 process13 47 conhost.exe 45->47         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 15:20:13 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
250d4fb488729b671611e96c8801875221b5086aa44562acd2b6a56488ca8150
TrickBot
430efdb79d9d0560d74c99566671d064f93746e4162fc8c492a5b023ac6c0442
TrickBot
6ac9af13a02c781f20484c344a61f47c1988b93f99786fcb93042678ac7be760
TrickBot
82ee229f96371decb519948d2b1cffdccb39859fca84909032acef7da5bd0093
TrickBot
c3f153bb4b44d9e0cb3cab0bf7eed03b8eea280b97756937dedbe74c7013a3d3
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
dea612148b5f17340638f8d3939c519013c5e28eb1aaacc2c026a1cbb885314b
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
TrickBot
fccb8dea9ab7e194eadc863a8e7658b9076fddd4b645b4241ab5b9a33997afcc
TrickBot
+ 812 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob107 banker trojan
Link:
https://tria.ge/reports/210714-45awph9pax/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
5494a1e91eafab5a55f1a3d050f99e1e4926044de2fd42f99cdbd39c4ab9ef2a
MD5 hash:
27c01015b6234e10b33f88d7a7918cda
SHA1 hash:
e320ce29d1578be1c23007c2739fd3f18bc5c2c2
Link:
https://www.unpac.me/results/e1250f4d-8936-4387-b6ae-f07c08c539dd/
SH256 hash:
f22a63c15f382982b7af10a7d46a38f70935978b794b5c972ccd15b77aaddf57
MD5 hash:
2c0073f908bfdcf395ae02647c5cbf1f
SHA1 hash:
decc8a8e5867ccf5e95e1bdd02c958afde02a59f
Link:
https://www.unpac.me/results/e1250f4d-8936-4387-b6ae-f07c08c539dd/
SH256 hash:
3e3c2176a265e68790fd8d112000cde07b09db7f7c455d6573c806390f753d8c
MD5 hash:
ec80b81143b26bbaa8a51a142ae5db78
SHA1 hash:
953ec5733daf3e0415ce1bde25b19fd56bd5d2bb
Link:
https://www.unpac.me/results/e1250f4d-8936-4387-b6ae-f07c08c539dd/
SH256 hash:
83c28683dde6c4c8179b11c3125e5434791cdc0cff0ac8ddabd6ec927c9eb07e
MD5 hash:
03bd64eb7cab5255f12f38cffbde5498
SHA1 hash:
54190b4a0a04b9f1c702766827a3751f88003bff
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e1250f4d-8936-4387-b6ae-f07c08c539dd/
SH256 hash:
970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726
MD5 hash:
790eef2cd2b527c7350aa2f6800de31c
SHA1 hash:
87b15ed63220b199b72737eaf1d744300aefa34d
Link:
https://www.unpac.me/results/e1250f4d-8936-4387-b6ae-f07c08c539dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/171732/
  
URLhaus
https://urlhaus.abuse.ch/url/1453982/
  
Delivery method
Distributed via web download

Comments