MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa7931e3e85d3c5bd6fc2052c38bee389bfba9281a8616da3275149a689ec5eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa7931e3e85d3c5bd6fc2052c38bee389bfba9281a8616da3275149a689ec5eb
SHA3-384 hash: 10114bcd7d5231222561db883a4eaac572ca6f2a0ec48272ec66dc9602ad9991e895347ac472e0fd116bb557a53661ef
SHA1 hash: 179555b3d0391e45df29e651b8ed0342d02fe88a
MD5 hash: 25056df6d3546de971eafe5da5f9ae44
humanhash: stairway-single-pluto-bakerloo
File name:10.jjkes
Download: download sample
Signature TrickBot
Create hunting rule
File size:4'591'104 bytes
First seen:2021-02-19 16:04:02 UTC
Last seen:2021-02-19 18:48:51 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e04420383d7601c6e6dad20f85155708 (2 x TrickBot)
ssdeep 49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
Threatray 1 similar samples on MalwareBazaar
TLSH 03265A3ED2C4D546D2BB6EB9F1B35960E18D785B87C9C0462AE20D8AC31F041F986F6D
Reporter cocaman
Tags:jjkes TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118040/
Detection(s):
SecuriteInfo.com.Generic.mg.25056df6d3546de9.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/612854
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355438 Sample: 10.jjkes Startdate: 19/02/2021 Architecture: WINDOWS Score: 80 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Trickbot 2->41 8 loaddll32.exe 1 2->8         started        10 WerFault.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 8->17         started        19 regsvr32.exe 10->19 injected signatures5 47 Writes to foreign memory regions 12->47 49 Allocates memory in foreign processes 12->49 21 wermgr.exe 12->21         started        24 wermgr.exe 12->24         started        26 iexplore.exe 2 83 15->26         started        process6 signatures7 43 Tries to detect virtualization through RDTSC time measurements 21->43 45 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 21->45 28 iexplore.exe 5 149 26->28         started        process8 dnsIp9 31 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 28->31 33 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 28->33 35 10 other IPs or domains 28->35
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa7931e3e85d3c5bd6fc2052c38bee389bfba9281a8616da3275149a689ec5eb/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-02-19 16:04:05 UTC
File Type:
PE (Dll)
Extracted files:
32
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vj4tdy7ilu6fxvx4ebjmhc7ohcn7xkjidkdbnwrsoukju2e6yxvq._file
Verdict:
suspicious
Similar samples:
1e749ea17f499e72237981072900998abc755bdcd0286b968d731e241c1a744a
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob60 banker trojan
Link:
https://tria.ge/reports/210219-t7aq1cfd7j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
ef09fa52e71b9eb50b6bb013d7691dba1e3072b3c951a5fe1d7164104bc5a1e7
MD5 hash:
843ff7d8b9cb6419a44ef635ae9c5447
SHA1 hash:
5c2a7a5e127f7d529340a6a371b1e9729d05a3fc
Link:
https://www.unpac.me/results/3d26948d-8ac8-461d-a318-0804ab858d0c/
SH256 hash:
14e3ecb0017ddc39fde9991450e3d2a01b0cda6de8f391082b6ed4643be0cee4
MD5 hash:
6fdcb36b7976c974a8b8920580a06f8b
SHA1 hash:
1e9a8fc0ef54b7312b8635629429f3dc7ccd40ad
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3d26948d-8ac8-461d-a318-0804ab858d0c/
SH256 hash:
aa7931e3e85d3c5bd6fc2052c38bee389bfba9281a8616da3275149a689ec5eb
MD5 hash:
25056df6d3546de971eafe5da5f9ae44
SHA1 hash:
179555b3d0391e45df29e651b8ed0342d02fe88a
Link:
https://www.unpac.me/results/3d26948d-8ac8-461d-a318-0804ab858d0c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xls eb2199eb89e22975e2242d3f0eeaf5914a1ada5cd53183e82cb0f6e2ac3b96e9

TrickBot

DLL dll aa7931e3e85d3c5bd6fc2052c38bee389bfba9281a8616da3275149a689ec5eb

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/118040/
  
Dropped by
SHA256 eb2199eb89e22975e2242d3f0eeaf5914a1ada5cd53183e82cb0f6e2ac3b96e9
  
URLhaus
https://urlhaus.abuse.ch/url/1019758/

Comments