MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a87a1461c989e6a6a28768733633d89fb4a79e24a8475f745e379d958df68741. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a87a1461c989e6a6a28768733633d89fb4a79e24a8475f745e379d958df68741
SHA3-384 hash: 8e99ec0b56b0a317f1e6cc0239be7382ceade8f4479c957629a462991df5ab46910c424972a53feb66b3dda7fbdbf16f
SHA1 hash: 9bd82c96fc9d0c46dd4088d955856a903893da96
MD5 hash: b6f19a1c2a2fbfd8517ab7045adb8455
humanhash: oregon-london-july-tennis
File name:update(1).dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:414'720 bytes
First seen:2020-07-22 11:01:28 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash cb0ec0002f83075a6fb4f3e8b4300bfe (3 x TrickBot)
ssdeep 6144:VqHtcN1ONcf3Qpguy7FEw3lE5Fyn/qeH78XGqqReU:QHtcN1O03Qy76w3l2ynLHYrqR
Threatray 2'156 similar samples on MalwareBazaar
TLSH BB94D0203690C036E29725794A29C7714A7EB97167E1E8CF7FC64A7A1F24FD1DA3430A
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31132/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Win32.GenKryptik.EORH.25065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394986
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249883 Sample: update(1).dll Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 4 8->10         started        13 cmd.exe 1 8->13         started        signatures5 48 Writes to foreign memory regions 10->48 50 Allocates memory in foreign processes 10->50 52 Delayed program exit found 10->52 54 Contains functionality to detect sleep reduction / modifications 10->54 15 wermgr.exe 3 10->15         started        19 iexplore.exe 2 74 13->19         started        process6 dnsIp7 30 131.161.253.190, 449, 49765 TEISAPY Paraguay 15->30 32 185.90.61.9, 443 ONEPROVIDER-ASBrainStormNetworkIncCA United Kingdom 15->32 34 8 other IPs or domains 15->34 36 Tries to harvest and steal browser information (history, passwords, etc) 15->36 38 Tries to detect virtualization through RDTSC time measurements 15->38 21 iexplore.exe 4 148 19->21         started        signatures8 process9 dnsIp10 24 pagead.l.doubleclick.net 216.58.215.226, 443, 49749, 49750 GOOGLEUS United States 21->24 26 id.rlcdn.com 35.244.245.222, 443, 49745, 49746 GOOGLEUS United States 21->26 28 17 other IPs or domains 21->28
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a87a1461c989e6a6a28768733633d89fb4a79e24a8475f745e379d958df68741/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 11:03:05 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vb5biyojrhtkniuhnbztmm6yt62kphrevbdv65c6g6ozldpwq5aq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
1455554d5585f68ec7212a6fca985aa7e3bb1904fce6dcfbb9a0b26751cbd23e
TrickBot
348c1970f3ce0b20eda196db27b3596864d8e99bedf575855aa35f5b5f5fc084
TrickBot
3611be7ee60f1adb4a14f2d5d307d7375fb8a9013d0ae24af5e639bcc524a595
TrickBot
5b53e93d56e20740ef468c0dc16bf4b0dc459007637874f1b2e8094f7d41e0a2
TrickBot
5c1df1958b639f2a2fac01fc28190ac4672facd0fe523efdedf2b2a24424d409
TrickBot
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
TrickBot
a97d416fd7fc1f37199012e44f1d6b1946b59f7d6b92b89d38dbee74a18c7554
TrickBot
b4eb31112cb2d0686ea3e88ab33569a0c902cb14331bb5f12a206d6f61b6b1fe
TrickBot
cd327c510c630f47d64c6e7bde422574480f57f6c455d41a2b0c7072e43779f7
TrickBot
f89b1d7e34810a16343159b8bb4700cfa548b58e2ab589bb1c6bee3455fd5f71
TrickBot
+ 2'146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-abaa7e4qln/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a87a1461c989e6a6a28768733633d89fb4a79e24a8475f745e379d958df68741

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31132/

Comments