MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6
SHA3-384 hash: f2bb84a73dd919d71a43d23a416bd19c297a879e1d8f4089bd822256c7a128db8aa73502148063bf9d533e723085d01d
SHA1 hash: 728af6c869bc7f368b0d804cb775939d7503dc09
MD5 hash: f874e8bb4584b378ae9ecd2a8a9b8802
humanhash: nuts-yellow-romeo-charlie
File name:f874e8bb4584b378ae9ecd2a8a9b8802.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:692'736 bytes
First seen:2021-11-21 10:22:00 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 12288:kHtnskGRzd2fjXoqT3iGGVo23DoDQVZL9NmMzmLAnpA/gJWfjB8p3:GeHE7XlO/GtEPLnzzn3Jv3
Threatray 3 similar samples on MalwareBazaar
TLSH T1EFE40A56AC6CC39BF29F74FA66A82BDB9213B4658DE1C183FDDD85C603756728E04B00
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
756
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/619a1dcfdd04e7d00e00b8be/reports/affe930b-e895-4223-87c5-8fff04e2f906/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87f09803-8e61-4a8a-ba29-4e4465559997
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893255
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525728 Sample: n6J7QJs4bk.dll Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected Trickbot 2->73 75 2 other signatures 2->75 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 cmd.exe 1 9->13         started        15 rundll32.exe 9->15         started        18 rundll32.exe 9->18         started        signatures5 20 rundll32.exe 13->20         started        85 Writes to foreign memory regions 15->85 87 Allocates memory in foreign processes 15->87 89 Delayed program exit found 15->89 23 wermgr.exe 15->23         started        26 cmd.exe 15->26         started        28 wermgr.exe 18->28         started        30 cmd.exe 18->30         started        process6 dnsIp7 77 Writes to foreign memory regions 20->77 79 Allocates memory in foreign processes 20->79 32 wermgr.exe 20->32         started        36 cmd.exe 20->36         started        63 65.152.201.203 CENTURYLINK-US-LEGACY-QWESTUS United States 23->63 81 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->81 signatures8 process9 dnsIp10 51 128.201.76.252 PedroFArrudaJuniorMEBR Brazil 32->51 53 202.58.199.82 MILLENINDO-AS-IDInternetMadjuAbadMillenindoPTID Indonesia 32->53 55 2 other IPs or domains 32->55 65 Hijacks the control flow in another process 32->65 67 Writes to foreign memory regions 32->67 38 svchost.exe 11 32->38         started        signatures11 process12 dnsIp13 57 110.38.58.198 WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK Pakistan 38->57 59 186.96.153.223 UUNETUS Argentina 38->59 61 23 other IPs or domains 38->61 43 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 38->43 dropped 45 C:\Users\user\AppData\...\Login Data.bak, SQLite 38->45 dropped 47 C:\Users\user\AppData\Local\...\History.bak, SQLite 38->47 dropped 49 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 38->49 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 38->83 file14 signatures15
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 22:58:30 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
104b9976e7e50031ded3bf9532a79b45502732668f23092f33fc71cecaa79977
TrickBot
5190ec8f66158522da23e655a5350c5c477cdf4ddc8c64eb9306764cd72f4e2a
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:soc1 banker trojan
Link:
https://tria.ge/reports/211121-md8y8sggc7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
fcb952445e138dd50f50abe0f42d4ce2149ca82b71dfea272c6a128f0733e5d4
MD5 hash:
1876997df3b6eb6ad15aeadba62222e8
SHA1 hash:
d11ca5b0c7d0c53b378c06b3d0468e4783d3679c
Link:
https://www.unpac.me/results/a3f8fd2b-4fff-4c54-89e9-a7db74c49e00/
SH256 hash:
e98ca956f4f94b5c8b063327a1fe27fb804bc2e52190a68c577490c3192ae663
MD5 hash:
4b535dbe595f89c3bcaa4f43cc1323a3
SHA1 hash:
4162c873be81f5aac6ca0a1ed7f84bfe86ec4262
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a3f8fd2b-4fff-4c54-89e9-a7db74c49e00/
Parent samples :
19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc
c8967382e53061b59cf54be076b1aa75c9dd10806e786cc745f61a3bcb7b0593
ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b
104b9976e7e50031ded3bf9532a79b45502732668f23092f33fc71cecaa79977
5190ec8f66158522da23e655a5350c5c477cdf4ddc8c64eb9306764cd72f4e2a
aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6
ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6
SH256 hash:
aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6
MD5 hash:
f874e8bb4584b378ae9ecd2a8a9b8802
SHA1 hash:
728af6c869bc7f368b0d804cb775939d7503dc09
Link:
https://www.unpac.me/results/a3f8fd2b-4fff-4c54-89e9-a7db74c49e00/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/aba735a82178/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1766024/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207865/

Comments