MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
SHA3-384 hash: c4a3d24366b598b73b257394355e4b16ae7563aee8139c2e72dc3bce35d442c7b558ec96e6380302e342fbd18f644a12
SHA1 hash: 29fda1648a832bf8b70ea355453fc890b8bd3c66
MD5 hash: 4667f2ac85f21d40d87302b19415acef
humanhash: glucose-beryllium-berlin-papa
File name:yuwxgoZIFLndvl.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:961'536 bytes
First seen:2021-08-02 20:38:39 UTC
Last seen:2021-08-02 22:11:51 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 99d9a584957572a810c8e33fd35a9f9a (1 x TrickBot)
ssdeep 12288:jqaXVtfjXiMnRi5fRP0+yRSB0yYWAk+UI+nbVrSvIo5wm+t30lWF6QvNnIKckHR:jnbfj65fRUSGRZUI+nbBFdnIp4
Threatray 3'668 similar samples on MalwareBazaar
TLSH T100157C123AC0C13AD27E3172852AE77566F9AC315CF5975B6ED41A3E1F309829A2C31F
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter James_inthe_box
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175885/
Detection(s):
SecuriteInfo.com.generic.ml.22485.1153.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/415c6885-5824-40e7-bd11-59c65e776d94
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825751
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458163 Sample: yuwxgoZIFLndvl.dll Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Yara detected Trickbot 2->83 85 Yara detected Trickbot 2->85 87 3 other signatures 2->87 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 9->20         started        signatures5 22 rundll32.exe 15->22         started        75 Writes to foreign memory regions 17->75 77 Allocates memory in foreign processes 17->77 79 Delayed program exit found 17->79 25 wermgr.exe 17->25         started        28 cmd.exe 17->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 93 Writes to foreign memory regions 22->93 95 Allocates memory in foreign processes 22->95 34 wermgr.exe 22->34         started        38 cmd.exe 22->38         started        65 179.189.229.254, 443, 49720, 49728 America-NETLtdaBR Brazil 25->65 67 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.175.83, 49724, 80 AMAZON-AESUS United States 25->67 69 8 other IPs or domains 25->69 97 May check the online IP address of the machine 25->97 99 Tries to detect virtualization through RDTSC time measurements 25->99 101 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->101 40 svchost.exe 25->40         started        signatures8 process9 dnsIp10 59 128.201.76.252, 443, 49719, 49727 PedroFArrudaJuniorMEBR Brazil 34->59 61 221.147.172.5, 443, 49730 KIXS-AS-KRKoreaTelecomKR Korea Republic of 34->61 63 6 other IPs or domains 34->63 89 Hijacks the control flow in another process 34->89 91 Writes to foreign memory regions 34->91 42 svchost.exe 10 34->42         started        47 svchost.exe 34->47         started        49 svchost.exe 1 34->49         started        51 2 other processes 34->51 signatures11 process12 dnsIp13 71 45.230.176.157, 443, 49735 NetMontesTelecomunicacoeseServicosLtdaBR Brazil 42->71 73 192.168.2.1 unknown unknown 42->73 53 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 42->53 dropped 55 C:\Users\user\AppData\...\Login Data.bak, SQLite 42->55 dropped 57 C:\Users\user\AppData\Local\...\History.bak, SQLite 42->57 dropped 103 Tries to harvest and steal browser information (history, passwords, etc) 42->103 file14 signatures15
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 20:38:30 UTC
File Type:
PE (Dll)
Extracted files:
53
AV detection:
2 of 28 (7.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5clqwqua2j6iscjmuxuog5huu6ccm2j7bpiavnolzbdhr25dwwq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
TrickBot
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d
TrickBot
7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e
TrickBot
848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350
TrickBot
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
TrickBot
dbdf67590cfb1a76b02700a7c91c11ddf0c75f5963e6d56020e983e15a65c5d9
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
+ 3'658 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob118 banker trojan
Link:
https://tria.ge/reports/210802-kbs9mr2fts/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
7db5bf06cfc04592c6cdffbf334f3be7342ee28e7823414c43269f496aff0a96
MD5 hash:
a282b28e3f78bda8093e9dddcbd77763
SHA1 hash:
bc70555d077ecbc73585340221f79b409d927603
Link:
https://www.unpac.me/results/d7059c99-a05f-4508-b677-c7f0ced97ab4/
SH256 hash:
98ddd8184bf4c0ea16f96af5410e78c161b343b143f5cd703a48cb8d86c9b569
MD5 hash:
7cb5c26881d2fb9a49585d321e783bbc
SHA1 hash:
a0b2c57d05a31dc3aed679fbc99a392443a27356
Link:
https://www.unpac.me/results/d7059c99-a05f-4508-b677-c7f0ced97ab4/
SH256 hash:
a98f817a376b364cee5e4498eb8685838df2c69f515767d1924e462c2f62e2a3
MD5 hash:
ed618cbb5754c81ef7b99cc9f7dbdc63
SHA1 hash:
873bcb3b47d9b4d58ef57bb427c0f4c1b03fa815
Link:
https://www.unpac.me/results/d7059c99-a05f-4508-b677-c7f0ced97ab4/
SH256 hash:
20802ad8a4dfce3ce45c7d7b26315ce78f75257447f0a198412c3e13119fedeb
MD5 hash:
72111999275d62436965730deac23a85
SHA1 hash:
39d7c50af24c0245cc633028b44c39bfdb6f7e9e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7059c99-a05f-4508-b677-c7f0ced97ab4/
Parent samples :
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
SH256 hash:
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
MD5 hash:
4667f2ac85f21d40d87302b19415acef
SHA1 hash:
29fda1648a832bf8b70ea355453fc890b8bd3c66
Link:
https://www.unpac.me/results/d7059c99-a05f-4508-b677-c7f0ced97ab4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/175885/

Comments