MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d
SHA3-384 hash: 2ee38f24d5ec7153c08546dd5a6e27429f88c0c4c8fe6b9396e639e23d13840cbc1a731775cc147b35894b69ab3d0cf6
SHA1 hash: c0f7e382731dd95eeb362aedee928d99e6eaadc1
MD5 hash: 4185a656dd45d56626bc9ded66c3a7bd
humanhash: florida-salami-hawaii-blossom
File name:SecuriteInfo.com.UDS.Trojan.Win32.Trickpak.gen.13196.11909
Download: download sample
Signature TrickBot
Create hunting rule
File size:497'664 bytes
First seen:2021-07-01 21:46:12 UTC
Last seen:2021-07-01 22:39:04 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 81a06e7356308d6f90f3bb9ae999e758 (1 x TrickBot)
ssdeep 12288:eYUqByp7YKoM2/tDnJ6JKNcelTCs8ytO1AlYd8lVI1:DUqQB/2/tLJzl/rM1AY8Xm
Threatray 3'318 similar samples on MalwareBazaar
TLSH F2B4CF113680C877C5AE32B54557D7796AEDB4305BF0D38BAFD40ABD9E226D18E3830A
Reporter SecuriteInfoCom
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169242/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win32.Trickpak.gen.13196.11909.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c6df30d5-958e-457f-95a9-a940a0259e6a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/810837
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443248 Sample: SecuriteInfo.com.UDS.Trojan... Startdate: 01/07/2021 Architecture: WINDOWS Score: 76 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Multi AV Scanner detection for submitted file 2->95 10 loaddll32.exe 1 2->10         started        13 regsvr32.exe 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 signatures4 103 Writes to foreign memory regions 10->103 105 Allocates memory in foreign processes 10->105 107 Delayed program exit found 10->107 19 regsvr32.exe 10->19         started        22 cmd.exe 1 10->22         started        24 rundll32.exe 10->24         started        26 3 other processes 10->26 process5 dnsIp6 97 Writes to foreign memory regions 19->97 99 Allocates memory in foreign processes 19->99 101 Delayed program exit found 19->101 29 wermgr.exe 19->29         started        33 cmd.exe 19->33         started        35 rundll32.exe 22->35         started        37 wermgr.exe 24->37         started        39 cmd.exe 24->39         started        65 148.235.154.164, 443, 49782 UninetSAdeCVMX Mexico 26->65 67 185.56.76.94, 443, 49763, 49779 GRUPOINFOSHOPES Spain 26->67 69 9 other IPs or domains 26->69 41 iexplore.exe 5 153 26->41         started        43 cmd.exe 26->43         started        signatures7 process8 dnsIp9 71 74.85.157.139, 443, 49742, 49758 FUSEPR Puerto Rico 29->71 79 9 other IPs or domains 29->79 109 Tries to detect virtualization through RDTSC time measurements 29->109 111 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 29->111 45 cmd.exe 29->45         started        113 Writes to foreign memory regions 35->113 115 Allocates memory in foreign processes 35->115 117 Delayed program exit found 35->117 47 wermgr.exe 35->47         started        51 cmd.exe 35->51         started        73 24.162.214.166, 443, 49783, 49785 TWC-11427-TEXASUS United States 37->73 75 68.69.26.182, 443, 49764 KOS-1193CA Canada 37->75 81 7 other IPs or domains 37->81 53 cmd.exe 37->53         started        77 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 41->77 83 12 other IPs or domains 41->83 55 conhost.exe 43->55         started        signatures10 process11 dnsIp12 57 conhost.exe 45->57         started        85 204.138.26.134, 443, 49777, 49781 NTT-COMMUNICATIONS-2914US United States 47->85 87 185.56.76.28, 443, 49743, 49759 GRUPOINFOSHOPES Spain 47->87 89 9 other IPs or domains 47->89 91 Writes to foreign memory regions 47->91 59 cmd.exe 47->59         started        61 conhost.exe 53->61         started        signatures13 process14 process15 63 conhost.exe 59->63         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 19:53:11 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tiftuipismvzap45pg4urrvl7d3tk5dnj5gbbe2pk7buojvph46q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
083424f93427a47fe75c914dcf71091226bd598a0ce512dccd01cb0b5d48c918
TrickBot
1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c
TrickBot
1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
TrickBot
355e27face9221cba40aa70d9054bc9d38e57e167e72f92baae989d6b3cde2c2
TrickBot
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
TrickBot
63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0
TrickBot
8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64
TrickBot
87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4
TrickBot
896b649c68a4c744c0bcab8c1918732ef1c82bb51ffaea777d3035867bd2787a
TrickBot
b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc
TrickBot
+ 3'308 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat2 banker trojan
Link:
https://tria.ge/reports/210701-dl53y95va2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
f48a9a8881b0e7c9fac17712d2d842b20c7293c8633115bbdacc71f2dd9a109c
MD5 hash:
b891eb9a9ead174836f95cfdee373957
SHA1 hash:
a085ec5d205cc75cc53bd08b2b916b009c1bafce
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d1fe987-7e67-4bc8-8132-d36e5a91d952/
SH256 hash:
97b793d0be0179046a2cc51df69c3c1f06432ce3973ee58142dc7f60badaa5ff
MD5 hash:
b8f5d5ec7787c75c6362815c8e0484eb
SHA1 hash:
8f039b710b510a77400d04e4735d0c2e4835d188
Link:
https://www.unpac.me/results/9d1fe987-7e67-4bc8-8132-d36e5a91d952/
SH256 hash:
303fbd4f2f2c7e2735505ccae8f7895acc72523372229b80312f50d8aa791f4d
MD5 hash:
5bfeb8b2ced642f3027123c896c6d2e6
SHA1 hash:
33a493a40dc735cf77da81444a4de1179ecc3826
Link:
https://www.unpac.me/results/9d1fe987-7e67-4bc8-8132-d36e5a91d952/
SH256 hash:
f79a25af518debff9860a88fabf8f81d387fddf6b0f7a12c995644f7fe55c63a
MD5 hash:
e0c0e8a88136f6fd7b16b8fc651a2f62
SHA1 hash:
339c99a7819ab3f611ccef9e50cd5ce1e9a4af3c
Link:
https://www.unpac.me/results/9d1fe987-7e67-4bc8-8132-d36e5a91d952/
SH256 hash:
9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d
MD5 hash:
4185a656dd45d56626bc9ded66c3a7bd
SHA1 hash:
c0f7e382731dd95eeb362aedee928d99e6eaadc1
Link:
https://www.unpac.me/results/9d1fe987-7e67-4bc8-8132-d36e5a91d952/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1417124/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169242/

Comments