MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8
SHA3-384 hash: 65440251826669e935eb69176d1a40eb82ae8bdc4d1db9b82982e5274fcdf2d2c4a22dc8ecc6cb7de81da26f0b53ff83
SHA1 hash: 403cc32f641133f41a5f1a9b8746871d87348f00
MD5 hash: 5bb0b118834c3af28feedc0d594b9b2f
humanhash: timing-alabama-bulldog-oven
File name:5bb0b118834c3af28feedc0d594b9b2f.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:786'506 bytes
First seen:2021-03-13 09:07:48 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 31071badda1e7968ca6e154608046ad6 (3 x TrickBot)
ssdeep 12288:w3huEehO+HvYoMsL3DfKiEI+tPnrkdled5ACnRRa:AuEeY+P3vEI+JnrkAPRRa
Threatray 5 similar samples on MalwareBazaar
TLSH F5F4DF5331E1C276C6EF16300E292729A7F6BDA44B35E5C76784CA2E5D739C24A3A313
Reporter abuse_ch
Tags:dll mon126 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124117/
Detection(s):
SecuriteInfo.com.Variant.Bulz.390906.20506.4003.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/638606
Signature
Multi AV Scanner detection for submitted file
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368280 Sample: fQaJL7NFzx.dll Startdate: 13/03/2021 Architecture: WINDOWS Score: 56 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Trickbot 2->29 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 20 8->12         started        14 regsvr32.exe 8->14         started        process5 16 iexplore.exe 1 74 10->16         started        process6 18 iexplore.exe 152 16->18         started        dnsIp7 21 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49746, 49747 YAHOO-DEBDE United Kingdom 18->21 23 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49740, 49741 FASTLYUS United States 18->23 25 9 other IPs or domains 18->25
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-03-12 17:14:55 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2eaa196b5f4f0d20b23dd82f001f369e05de803834a11cfe93dd7b795d9e6cd2
TrickBot
330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52
TrickBot
4753a98480bfe6aa5685edb0456642679f4e49cdf94724151f53a191a75811db
TrickBot
c486a02bb56748a663dfcfca68847f33c93574aaba9d326685129d7b664abbb5
TrickBot
ff6554ab27fa28c602add0c4824a651b42f0d9b45e7d0a758ba66e2e650598db
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon126 banker trojan
Link:
https://tria.ge/reports/210313-lnl8l93mpe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
Unpacked files
SH256 hash:
ff11f1931be59aa263ad9745632629bcaa712ed9fa970962d3b75a5218c14d1d
MD5 hash:
b0ca9cdcd8d2c34f6465e48af9adfe18
SHA1 hash:
b0ea0f669c4ee25eb4e69df172022bcf40f32270
Link:
https://www.unpac.me/results/1e0d712b-0a66-45f1-a70d-334e437ccb8d/
SH256 hash:
8156db841872e4eb8442e5c68e9c0f9cea1e44a43c029b3546b84e1325568c9e
MD5 hash:
9e655dbac2e68c194b3883461f6ce972
SHA1 hash:
7edc7aee0b916e8ff40f8546d2b2909c3cb6f0cb
Link:
https://www.unpac.me/results/1e0d712b-0a66-45f1-a70d-334e437ccb8d/
SH256 hash:
991fb6e60602c54be0e0b10ce6a1fb6ad94b622ce065265c8a84f0527e45a8fd
MD5 hash:
ed2f26fc3890cd318357b86a1e446b36
SHA1 hash:
608a6ad49c4919f06f45db3f9d0a57ea8c79639d
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e0d712b-0a66-45f1-a70d-334e437ccb8d/
SH256 hash:
9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8
MD5 hash:
5bb0b118834c3af28feedc0d594b9b2f
SHA1 hash:
403cc32f641133f41a5f1a9b8746871d87348f00
Link:
https://www.unpac.me/results/1e0d712b-0a66-45f1-a70d-334e437ccb8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll 9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1064433/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124117/

Comments