MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110
SHA3-384 hash: 24e42d35bd8a6c583a98bea9b539578aeeca78f0f9fec4a324e4523a34f9dba845b95dd602bab233289ce27fd257e18e
SHA1 hash: b3fb1b73b75cf3387e6188654d5068ffacbf0e34
MD5 hash: 3f2f5684f03696cf02b94d1b2ef0b976
humanhash: seven-ack-violet-washington
File name:156.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:443'904 bytes
First seen:2021-03-19 17:57:05 UTC
Last seen:2021-03-19 19:47:48 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 4f0c2c904283b81b81368f0a41d1a1ac (9 x IcedID, 2 x TrickBot)
ssdeep 6144:GLxEipndZINSqPnWrhKsA0RoQQ651PVc/u/DcI8nOatDe9JYe8HVFT8gAPwyDq5Z:OBn3bZrhjoQQafcY4eTg3yDq5epFG
Threatray 1 similar samples on MalwareBazaar
TLSH CF9412119130A510EDEA16B166683FF5E93848111B7E4FAB337F7811CF49AE6A3093E6
Reporter p5yb34m
Tags:dll mon156 TrickBot


Avatar
p5yb34m
Source:
https://ozpinarco.com/wp-content/themes/archi-child/images/prettyPhoto/156.dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125704/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.29652.2881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/646480
Signature
Multi AV Scanner detection for submitted file
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372206 Sample: 156.dll Startdate: 19/03/2021 Architecture: WINDOWS Score: 56 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Trickbot 2->34 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 1 73 10->16         started        19 cmd.exe 12->19         started        dnsIp6 24 192.168.2.1 unknown unknown 16->24 21 iexplore.exe 154 16->21         started        process7 dnsIp8 26 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49739, 49740 YAHOO-DEBDE United Kingdom 21->26 28 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49741, 49742 FASTLYUS United States 21->28 30 10 other IPs or domains 21->30
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-19 17:58:08 UTC
AV detection:
6 of 28 (21.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3cudmoru3z62nclzh5yoregbdbtqa3o34vfbxg72fuqlpfoseia._file
Verdict:
unknown
Similar samples:
162bfebce722e1d9d4a4b67762b58c2129d5f76db40d101f2a4ab1438a795bc5
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon156 banker trojan
Link:
https://tria.ge/reports/210319-lps49vmspj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
68.201.55.46:443
71.42.188.85:443
50.197.243.125:443
70.119.149.64:443
71.66.92.190:443
137.27.148.14:443
156.19.152.218:443
73.103.36.158:443
67.212.241.178:443
65.158.28.70:443
96.88.45.25:443
50.84.233.214:443
73.6.0.166:449
50.75.131.6:443
72.128.158.51:443
104.4.84.130:443
108.161.11.44:443
75.118.158.174:443
67.48.50.58:443
47.51.21.82:443
72.131.216.28:443
184.188.210.34:449
71.40.62.107:443
98.6.49.38:443
67.48.54.37:443
24.227.152.42:443
47.37.90.57:443
70.118.50.62:443
Unpacked files
SH256 hash:
a984ef0429c26721a5df8a5d90898d2b29b59ab4d728fad1facf087847e306dd
MD5 hash:
55a42939029934c9359a507a876bb553
SHA1 hash:
d4d3b664c1aefb2460f9d88b51e662b43e13d661
Link:
https://www.unpac.me/results/5be1e537-3447-424b-b4d6-1b9714bff17c/
SH256 hash:
39c45f33dfb6ea523a860bfc300750fcac17c349e9c1a6652ab7dc0016ca4cce
MD5 hash:
1aff7a26ea95c5b9cd4204efbb7ee413
SHA1 hash:
13d9606cc845fb807753bb8eb978d52006782f89
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/5be1e537-3447-424b-b4d6-1b9714bff17c/
Parent samples :
9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110
4bb31bc2b42a2678d228ef7650d03ced7ce695fdd83a20af2fbda152b53a0b24
SH256 hash:
9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110
MD5 hash:
3f2f5684f03696cf02b94d1b2ef0b976
SHA1 hash:
b3fb1b73b75cf3387e6188654d5068ffacbf0e34
Link:
https://www.unpac.me/results/5be1e537-3447-424b-b4d6-1b9714bff17c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 9ec541b1d1a6f3ed344bc9fb87448608c338036edf2a50dcdfd16905bcae9110

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1077628/
Cape
Cape
https://www.capesandbox.com/analysis/125704/
  
URLhaus
https://urlhaus.abuse.ch/url/1077786/
  
URLhaus
https://urlhaus.abuse.ch/url/1077997/
  
URLhaus
https://urlhaus.abuse.ch/url/1078005/
  
URLhaus
https://urlhaus.abuse.ch/url/1078069/

Comments