MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9
SHA3-384 hash: e52d8b8b5a012d9ec6e76a1710d85e8dc6eec55d05c7ce8cf6fabc7c79c025ea72e6e31be8fd010ddda0d09445ca035d
SHA1 hash: 10c792d0e37a4b55669e38d34bfc4f7290592e9d
MD5 hash: 970141c334965b51e960fc287106ba9a
humanhash: ceiling-mockingbird-twelve-charlie
File name:970141c334965b51e960fc287106ba9a
Download: download sample
Signature TrickBot
Create hunting rule
File size:528'384 bytes
First seen:2021-07-16 14:36:04 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9646f8d9906f1ec39cfd7388ea0616e5 (2 x TrickBot)
ssdeep 12288:VE2DFZrTO3XZ3jLOBWTNvFD1VeubeMl2005W7eQT:VrrTO3J3WwZv91VeAlXw
Threatray 3'401 similar samples on MalwareBazaar
TLSH T140B4CF127D90C436D7AF03B08D631B7B52B9B8007B79C98B6BBC8E4E1E7585C8635297
Reporter zbetcheckin
Tags:32 dll exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172222/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.gen.6132.11493.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/109eca46-aab7-476f-90bb-b375da5d94e1
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/817538
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449949 Sample: 6J08VVHWxd Startdate: 16/07/2021 Architecture: WINDOWS Score: 92 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Found malware configuration 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 2 other signatures 2->114 10 loaddll32.exe 1 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        17 regsvr32.exe 2->17         started        process3 signatures4 122 Writes to foreign memory regions 10->122 124 Allocates memory in foreign processes 10->124 19 regsvr32.exe 10->19         started        22 cmd.exe 1 10->22         started        24 rundll32.exe 10->24         started        28 3 other processes 10->28 26 rundll32.exe 13->26         started        process5 dnsIp6 116 Writes to foreign memory regions 19->116 118 Allocates memory in foreign processes 19->118 31 wermgr.exe 19->31         started        35 cmd.exe 19->35         started        37 rundll32.exe 22->37         started        39 wermgr.exe 24->39         started        41 cmd.exe 24->41         started        43 cmd.exe 26->43         started        45 wermgr.exe 26->45         started        80 68.69.26.182, 443 KOS-1193CA Canada 28->80 82 38.110.103.124, 443, 49777, 49806 BELAIR-TECHNOLOGIESCA United States 28->82 84 9 other IPs or domains 28->84 47 iexplore.exe 144 28->47         started        49 cmd.exe 28->49         started        signatures7 process8 dnsIp9 86 190.61.43.241, 443, 49834 UFINETPANAMASAPA Colombia 31->86 88 24.162.214.166, 443, 49826, 49831 TWC-11427-TEXASUS United States 31->88 94 12 other IPs or domains 31->94 100 Tries to detect virtualization through RDTSC time measurements 31->100 102 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 31->102 51 cmd.exe 31->51         started        104 Writes to foreign memory regions 37->104 106 Allocates memory in foreign processes 37->106 53 wermgr.exe 3 37->53         started        58 cmd.exe 37->58         started        90 148.235.154.164, 443, 49814, 49845 UninetSAdeCVMX Mexico 39->90 92 60.51.47.65, 443, 49803, 49809 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 39->92 96 9 other IPs or domains 39->96 60 cmd.exe 1 39->60         started        98 12 other IPs or domains 47->98 62 conhost.exe 49->62         started        signatures10 process11 dnsIp12 64 conhost.exe 51->64         started        74 185.56.76.72, 443, 49804 GRUPOINFOSHOPES Spain 53->74 76 185.56.76.94, 443, 49771, 49786 GRUPOINFOSHOPES Spain 53->76 78 12 other IPs or domains 53->78 72 C:\Users\user\AppData\...\xr6J08VVHWxdhb.grf, PE32 53->72 dropped 120 Writes to foreign memory regions 53->120 66 cmd.exe 53->66         started        68 conhost.exe 60->68         started        file13 signatures14 process15 process16 70 conhost.exe 66->70         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 14:37:03 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c
TrickBot
71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f
TrickBot
970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726
TrickBot
9a0b3a21e8932b903f9d79b948c6abf8f735746d4f4c10934f57c34726af3f3d
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1
TrickBot
e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
+ 3'391 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat2 banker trojan
Link:
https://tria.ge/reports/210716-ztnwt239yx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
710e9acda27a151378430a87320ebd3bd6d77c7dcaabc57f3414d6d27ad90e35
MD5 hash:
036fa39cb9ba5a9958fab0f7e4c23ef7
SHA1 hash:
afa461acf5efd6828742caa5eba6464245317f52
Link:
https://www.unpac.me/results/8de40a56-6245-440d-bbb0-74b9271ef5ac/
SH256 hash:
975a471e7fc9b0b20c4a569dc8efa952cd368ba6e97e9264604b72296eb058c3
MD5 hash:
06c9a03fb11c392bd66bcbaf63f72578
SHA1 hash:
aa5a844332f2bc67a98690d6d2823e0c8a5af49d
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8de40a56-6245-440d-bbb0-74b9271ef5ac/
Parent samples :
daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1
a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9
SH256 hash:
3d718f4f2603c3370d60f355806955069c45814620b140abef9b1b2e8052154d
MD5 hash:
11bb5785995c25b3c4640df50e73953a
SHA1 hash:
2ff6450590a47538c8004948207c3510b2902165
Link:
https://www.unpac.me/results/8de40a56-6245-440d-bbb0-74b9271ef5ac/
SH256 hash:
478a0c49e58830ffc0da0332d9053104e575f0c71c2ee048dbaf22f07054b28b
MD5 hash:
d5cb6100cfdd1a5ec7741b10517fc740
SHA1 hash:
25bd11e64af7ed3587599a1d162f5eafa9d8c564
Link:
https://www.unpac.me/results/8de40a56-6245-440d-bbb0-74b9271ef5ac/
SH256 hash:
a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9
MD5 hash:
970141c334965b51e960fc287106ba9a
SHA1 hash:
10c792d0e37a4b55669e38d34bfc4f7290592e9d
Link:
https://www.unpac.me/results/8de40a56-6245-440d-bbb0-74b9271ef5ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172222/

Comments


Avatar
zbet commented on 2021-07-16 14:36:04 UTC

url : hxxp://185.255.130.247/images/earthmap.png