MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49
SHA3-384 hash: 69a124a9a5965a5cef4df5928393ae7d2a341c79ca161e0d14ddb5672fe2b28f5afee0fee7c14babe36e3018fec8dd9d
SHA1 hash: a2b030ac590ed0d1c7cbcd4c2a846ca4deee2873
MD5 hash: ebf9404b5ada04ae2757c3e5b5095fc5
humanhash: harry-kansas-potato-stream
File name:DDA9.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:655'360 bytes
First seen:2021-07-20 16:57:18 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fbda6f22afa946e323789b22e60777ab (2 x TrickBot)
ssdeep 12288:a+XteF9xG1SBrWzAOsZ+6Pc+abxPusFmMoauoWyae8sOTT/Fe:a+YFy1S824QcF9+xRc8sOTT/Fe
Threatray 845 similar samples on MalwareBazaar
TLSH T1D5D4F1017AD084B3D69E223509AAA73FDBBAB2D2DD30CE4797D8FE4A9D312515C25307
Reporter malware_traffic
Tags:dll gtag mod8 mod8 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172871/
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/212defb8-4d2c-4c4b-8b64-519c51e81af4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/819110
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451521 Sample: DDA9.dll Startdate: 20/07/2021 Architecture: WINDOWS Score: 80 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Sigma detected: CobaltStrike Load by Rundll32 2->57 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 rundll32.exe 9->15         started        18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        signatures5 69 Writes to foreign memory regions 15->69 71 Allocates memory in foreign processes 15->71 73 Delayed program exit found 15->73 22 wermgr.exe 15->22         started        26 cmd.exe 15->26         started        28 rundll32.exe 18->28         started        30 wermgr.exe 20->30         started        32 cmd.exe 20->32         started        process6 dnsIp7 49 74.85.157.139, 443, 49744 FUSEPR Puerto Rico 22->49 51 170.238.117.187, 443, 49759 America-NETLtdaBR Brazil 22->51 53 12 other IPs or domains 22->53 59 May check the online IP address of the machine 22->59 61 Writes to foreign memory regions 22->61 63 Tries to detect virtualization through RDTSC time measurements 22->63 65 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 22->65 34 cmd.exe 1 22->34         started        67 Allocates memory in foreign processes 28->67 36 wermgr.exe 28->36         started        39 cmd.exe 28->39         started        signatures8 process9 dnsIp10 41 conhost.exe 34->41         started        43 190.144.10.242, 443, 49760 TelmexColombiaSACO Colombia 36->43 45 24.162.214.166, 443, 49741, 49745 TWC-11427-TEXASUS United States 36->45 47 12 other IPs or domains 36->47 process11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxrkoohxl4csoiusgzarndilhbrjqhqn2i5tda2mcuqbeottxzeq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
458844d1edad3253667e6eea0dc735a748e87ff784cbf12c80f05c15e96ec3d9
TrickBot
6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef
TrickBot
7d6688ec15f6fec19a2cc6743f3fe50f5dcf79d14f122f3ebdf844464c45abec
TrickBot
8a5ab991e0f8318707d517aee2a9a0689b5908050e17b6afce77e83544fcaaa8
TrickBot
8eb708fb8f044596b841b47c2d75f6c02f878f5685b75008084c70752b961d15
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
TrickBot
f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
TrickBot
fccb8dea9ab7e194eadc863a8e7658b9076fddd4b645b4241ab5b9a33997afcc
TrickBot
+ 835 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mod8 banker trojan
Link:
https://tria.ge/reports/210720-t6zddmxl66/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
0cd813f2a798adaf7433a2bad00cc47c2c17bcb84f5b51951be84d5def29ff5b
MD5 hash:
00b9277b9dbfbb7a192ee42f0b283dbb
SHA1 hash:
d581daa3e6c351c450fc4b69c5b08e80e20bc088
Link:
https://www.unpac.me/results/cff373d1-9c0d-498a-ab12-74501c7fb6ba/
SH256 hash:
3e9695ea827f4b55703cc173f11593154b196c8bbae33424b4ac3cd78eebe2b3
MD5 hash:
49e7e9816c23a1a134cda26590b2db76
SHA1 hash:
a810d195db18570a1f772fe0c1daf998ff3dcb39
Link:
https://www.unpac.me/results/cff373d1-9c0d-498a-ab12-74501c7fb6ba/
SH256 hash:
f308268d35424cb6755442c870fea683612f07c4f32b15aa29525d7a2cc38522
MD5 hash:
54ad5298743583704d2e7d4e4c1eff14
SHA1 hash:
772d76f7a42b8f91bac136f3459f97629f8f0bae
Link:
https://www.unpac.me/results/cff373d1-9c0d-498a-ab12-74501c7fb6ba/
SH256 hash:
2e362a566d2d2fa5ca041e858375a98619c3bdcf7d6109bc62a9296119425304
MD5 hash:
cdde1f75cb37f1c8b7f42632be0432f8
SHA1 hash:
15516a6122f0c056739aae5d67d76c9797a3a1cd
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/cff373d1-9c0d-498a-ab12-74501c7fb6ba/
Parent samples :
8eb708fb8f044596b841b47c2d75f6c02f878f5685b75008084c70752b961d15
ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49
SH256 hash:
ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49
MD5 hash:
ebf9404b5ada04ae2757c3e5b5095fc5
SHA1 hash:
a2b030ac590ed0d1c7cbcd4c2a846ca4deee2873
Link:
https://www.unpac.me/results/cff373d1-9c0d-498a-ab12-74501c7fb6ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172871/

Comments