MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d
SHA3-384 hash: ab496e2fe693cdf941aad80e16815b3bf53bd30ec508c663b8c400bb5e80c175f4fd65f2fce9b52568fc912bbea2d138
SHA1 hash: 276bdc086442cd91c5aed2db9edc95e2ea53e172
MD5 hash: 0248aa78d8a4d231273d6589edb0a423
humanhash: emma-oven-mountain-mango
File name:0248aa78_by_Libranalysis
Download: download sample
Signature TrickBot
Create hunting rule
File size:507'983 bytes
First seen:2021-05-13 15:07:53 UTC
Last seen:2021-05-13 15:56:24 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8e582c210faeed0d4f7cfa9f24588236 (2 x TrickBot)
ssdeep 12288:Ap+1JQPldlr23jbH14nECojODgkT+4dk5OYh/u:91JQPflrOh4nEf5b4dGO1
Threatray 1'591 similar samples on MalwareBazaar
TLSH 07B4CF1170A18837F7EE03768D672FE3DBF5BD424BB5A04BD7829E4C09359474A2AE12
Reporter Libranalysis
Tags:TrickBot


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156246/
Detection(s):
SecuriteInfo.com.ML.PE-A.7313.6448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/781154
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses Windows timers to delay execution
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 413550 Sample: 0248aa78_by_Libranalysis.dll Startdate: 13/05/2021 Architecture: WINDOWS Score: 96 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Trickbot 2->42 44 Yara detected Trickbot 2->44 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        signatures5 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 Uses Windows timers to delay execution 10->50 17 wermgr.exe 10->17         started        20 rundll32.exe 13->20         started        22 wermgr.exe 15->22         started        process6 signatures7 26 Found potential dummy code loops (likely to delay analysis) 17->26 28 Tries to detect virtualization through RDTSC time measurements 17->28 30 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 17->30 32 Writes to foreign memory regions 20->32 34 Allocates memory in foreign processes 20->34 36 Uses Windows timers to delay execution 20->36 24 wermgr.exe 20->24         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-05-13 15:08:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdyp4raz5yld3erq73fguadjhrpwdfeblh7inhvnkhwdhgfxaogq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2
TrickBot
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
TrickBot
3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
697dea4b154178e8de096c66167b539aa4465155d294b11765f1a1886eb7c56d
TrickBot
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
TrickBot
d1fd867dd79bb803974e18598bdc97cbb8f51acffeb8739ce2f01dff29985803
TrickBot
e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 1'581 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:net16 banker trojan
Link:
https://tria.ge/reports/210513-app1ksmqqs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/156246/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-13 16:03:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.012] Anti-Behavioral Analysis::Human User Check
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0050] File System Micro-objective::Set File Attributes
11) [C0052] File System Micro-objective::Writes File
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
15) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
19) [C0040] Process Micro-objective::Allocate Thread Local Storage
20) [C0038] Process Micro-objective::Create Thread
21) [C0054] Process Micro-objective::Resume Thread
22) [C0041] Process Micro-objective::Set Thread Local Storage Value
23) [C0055] Process Micro-objective::Suspend Thread
24) [C0018] Process Micro-objective::Terminate Process