MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
SHA3-384 hash: 527eb469712d3787406508062814a5096c5abad26b62bcea8309779b4b088422c01a7f1610d29b40ebfb2f5ce15cdb13
SHA1 hash: bd10a2a6b0c1212ff697633cef5198eccde5413a
MD5 hash: e92d50f4349ca1a51784fa8155f699e1
humanhash: charlie-bakerloo-idaho-double
File name:2.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:876'544 bytes
First seen:2021-08-16 17:07:15 UTC
Last seen:2021-08-16 18:15:40 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 248f2d602d490233abbb095e760215c2 (1 x TrickBot)
ssdeep 12288:AB7O8YzAyMqsaVtvdWR6ZO9ikMVESyQHMsTcuUq6NMEdk:AB7pYUy3sGvtYOEpP7q6N5
Threatray 1'111 similar samples on MalwareBazaar
TLSH T1B7158C02B6B5CC36C19A203F6A13A65512EFAD404EBAF187F797ABCD1A307817527347
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll rob122 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://185.244.41.28/click.php
http://185.244.41.17/111/2.dll

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179634/
Detection(s):
SecuriteInfo.com.generic.ml.8423.13962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% directory
Deleting a recently created file
Changing a file
Creating a file in the Windows subdirectories
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b81bff23-8592-4772-b550-10be584771c8
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833724
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466151 Sample: 2.dll Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Found malware configuration 2->81 83 Yara detected Trickbot 2->83 85 2 other signatures 2->85 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 9->20         started        signatures5 22 rundll32.exe 15->22         started        75 Writes to foreign memory regions 17->75 77 Allocates memory in foreign processes 17->77 25 wermgr.exe 17->25         started        28 cmd.exe 17->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 91 Writes to foreign memory regions 22->91 93 Allocates memory in foreign processes 22->93 34 wermgr.exe 22->34         started        38 cmd.exe 22->38         started        63 105.27.205.34, 443, 49718 SEACOM-ASMU Mauritius 25->63 65 46.99.175.149, 443, 49710, 49717 IPKO-ASAL Albania 25->65 67 6 other IPs or domains 25->67 95 May check the online IP address of the machine 25->95 97 Tries to detect virtualization through RDTSC time measurements 25->97 99 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->99 40 svchost.exe 25->40         started        signatures8 process9 dnsIp10 57 221.147.172.5, 443, 49720 KIXS-AS-KRKoreaTelecomKR Korea Republic of 34->57 59 181.129.167.82, 443, 49712, 49719 EPMTelecomunicacionesSAESPCO Colombia 34->59 61 6 other IPs or domains 34->61 87 Hijacks the control flow in another process 34->87 89 Writes to foreign memory regions 34->89 42 svchost.exe 11 34->42         started        47 svchost.exe 34->47         started        signatures11 process12 dnsIp13 69 103.148.201.66, 443, 49736 WORTEL-AS-IDPTWortelID unknown 42->69 71 186.101.84.222, 443, 49738 TelconetSAEC Ecuador 42->71 73 8 other IPs or domains 42->73 49 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 42->49 dropped 51 C:\Users\user\AppData\...\Login Data.bak, SQLite 42->51 dropped 53 C:\Users\user\AppData\Local\...\History.bak, SQLite 42->53 dropped 55 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 42->55 dropped 101 Tries to harvest and steal browser information (history, passwords, etc) 42->101 file14 signatures15
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tw77wsygsjdwjcbv7pn4p3tr2rt64jmkg6yfpf7ih6wp4u7gcakq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
TrickBot
145922b0a4d90db4438ca924535a6f058472744a29b3a4f2875846a84bd41b99
TrickBot
367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb
TrickBot
58eb3b6a9dd371f2b5c39166f7f52d0fdaa6ec8a32962221cf4f44a47c3e67e7
TrickBot
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
TrickBot
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
TrickBot
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
TrickBot
+ 1'101 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob122 banker trojan
Link:
https://tria.ge/reports/210816-587ahzttna/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
402d8f76835acce2f634c3f85f86700e67284fa3703337be3eccb59e8f9e6567
MD5 hash:
39393f72ff46bca4a5992a1c70c33df0
SHA1 hash:
aa814a880c755d25720a9c112f3ace59b663fc56
Link:
https://www.unpac.me/results/3fd56041-b234-4de0-bc6a-8f74a65aa07d/
SH256 hash:
6f49a15c911af98ee94e62b1b81600ffce5c22832ce7dcf436471debc2a2a209
MD5 hash:
047fbd38483009cb4456edb0374b6cf1
SHA1 hash:
91499129c20d028fe7dfd24878725f345d70b589
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3fd56041-b234-4de0-bc6a-8f74a65aa07d/
Parent samples :
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
22068c7cbb40c3149b694b5fca1675d95e7e12509b36fa37350c194737c6c1f9
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
SH256 hash:
06049712f4230bad8c36f9f10d1a16f37822ab08aff5351f677d175dbac9978e
MD5 hash:
ed8721df9719f6010943e85106166ac6
SHA1 hash:
72147fa7c7cfc8788f16a8ecac53f8afeba0d316
Link:
https://www.unpac.me/results/3fd56041-b234-4de0-bc6a-8f74a65aa07d/
SH256 hash:
948e4fa0294f376eb4ee1528dd9ad261e02c8fc21e545d166d87f22c062ace0a
MD5 hash:
18fb8ac7679fbf67e107895de3272232
SHA1 hash:
39a316f5544656729e3ab8e1298a3820c8167e69
Link:
https://www.unpac.me/results/3fd56041-b234-4de0-bc6a-8f74a65aa07d/
SH256 hash:
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
MD5 hash:
e92d50f4349ca1a51784fa8155f699e1
SHA1 hash:
bd10a2a6b0c1212ff697633cef5198eccde5413a
Link:
https://www.unpac.me/results/3fd56041-b234-4de0-bc6a-8f74a65aa07d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9dbffb4b0692/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Java Script (JS) js 3d3f9ef35b78b4368a3e098c6f119bf3bf103840959c71b52fcd979e78f21993

TrickBot

DLL dll 9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1539521/
  
Dropped by
MD5 0896adeee9ddd62a678707d7bf5980b5
  
Dropped by
SHA256 3d3f9ef35b78b4368a3e098c6f119bf3bf103840959c71b52fcd979e78f21993
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179634/

Comments