MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acb81dadb44ea5fac7a47aa1829865e765524bff935c74e2f31af97ed81b7479. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	acb81dadb44ea5fac7a47aa1829865e765524bff935c74e2f31af97ed81b7479
SHA3-384 hash:	cb62a4dc5b728a28f2c7e87c5292503e39cd27a2d90db8820825a5e9b521e07457e8e38f9c8471ce71fa49393258495e
SHA1 hash:	2a285b21200cef7f27a26080ecc3a87f368aea75
MD5 hash:	6b2caef867686723927b8c0a65b83e2b
humanhash:	alabama-cardinal-ten-nuts
File name:	6b2caef8_by_Libranalysis
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	655'431 bytes
First seen:	2021-05-25 16:02:25 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	6f72b0f41cc38d106823ab1b0d7fdde1 (1 x TrickBot)
ssdeep	12288:/ltvgVm6r13KlU661Tx64NkYhGEInb9xaNVrIP3JjVaXu0WUt3f:/YalB61TVUb3gVrOjVqdWU1
Threatray	1'620 similar samples on MalwareBazaar
TLSH	DFD4C113F5E0C47BC1AE05702E623B6963F8E9D04D7DC643EB58C61F5E33942D62A2A6
Reporter	Libranalysis
Tags:	TrickBot

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/162048/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/791811

Signature

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/acb81dadb44ea5fac7a47aa1829865e765524bff935c74e2f31af97ed81b7479/

Threat name:

Win32.Trojan.MintZamg

Status:

Malicious

First seen:

2021-05-25 16:03:11 UTC

AV detection:

4 of 46 (8.70%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

TrickBot

241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808

TrickBot

2f2dc3b13b954e9b3286d8b1856c8e31ab9003ce999deebd9037ee83e5604b78

TrickBot

678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24

TrickBot

697dea4b154178e8de096c66167b539aa4465155d294b11765f1a1886eb7c56d

TrickBot

a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d

TrickBot

c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2

TrickBot

d1fd867dd79bb803974e18598bdc97cbb8f51acffeb8739ce2f01dff29985803

TrickBot

e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

TrickBot

f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606

TrickBot

+ 1'610 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob89 banker trojan

Link:

https://tria.ge/reports/210525-466fnm9dqn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Templ.dll packer

Trickbot

Malware Config

C2 Extraction:

196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/acb81dadb44ea5fac7a47aa1829865e765524bff935c74e2f31af97ed81b7479

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_trickbot_a4 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/162048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample