MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
SHA3-384 hash: 5be25ebab0c2a300402c38cce44cf383738fcfd137a7134ea9b8279d1bcb8678f29d50faab7be9a7eda7df002b109909
SHA1 hash: 8cd435cf4c5b446e5ff5e72a56e0569da3a0d4ef
MD5 hash: ed30160772181f91ee15126bfb0756ab
humanhash: orange-arkansas-quiet-item
File name:ed30160772181f91ee15126bfb0756ab.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:532'480 bytes
First seen:2021-09-22 18:12:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5c9a9773c96ef9c47915be337e1489a1 (6 x TrickBot)
ssdeep 6144:tIl3f5on8R0CBtsabvbA0iRugpw8mI3R5y4MAIJ+CczfBsx2X/HSpu9SiWaKMVe1:tk32q0CB5qwq6cBsxsPUmYa1B3js
Threatray 3'756 similar samples on MalwareBazaar
TLSH T18AB4CF42B2C0C076E27F537149775B5A26AEFD248BF1A94BB744BE3D0F35291852EA03
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190383/
Detection(s):
SecuriteInfo.com.VHO.Trojan.Win32.Injector.gen.24662.13088.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Win32.Trickpak.4c.24101.28805.UNOFFICIAL
Create hunting rule

Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cd010f4-c4fa-4f3b-8ad7-893cef80744e
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855906
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488337 Sample: CPWpaRIC4Q.dll Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Found malware configuration 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 3 other signatures 2->78 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 rundll32.exe 8->14         started        17 cmd.exe 1 8->17         started        19 rundll32.exe 8->19         started        signatures5 92 Writes to foreign memory regions 14->92 94 Allocates memory in foreign processes 14->94 96 Queues an APC in another process (thread injection) 14->96 21 wermgr.exe 14->21         started        25 cmd.exe 14->25         started        27 rundll32.exe 17->27         started        29 wermgr.exe 19->29         started        31 cmd.exe 19->31         started        process6 dnsIp7 66 105.27.205.34, 443, 49752, 49787 SEACOM-ASMU Mauritius 21->66 68 128.201.76.252, 443, 49737, 49740 PedroFArrudaJuniorMEBR Brazil 21->68 70 6 other IPs or domains 21->70 82 Hijacks the control flow in another process 21->82 84 May check the online IP address of the machine 21->84 86 Writes to foreign memory regions 21->86 90 2 other signatures 21->90 33 svchost.exe 11 21->33         started        38 svchost.exe 21->38         started        40 svchost.exe 21->40         started        88 Allocates memory in foreign processes 27->88 42 wermgr.exe 27->42         started        44 cmd.exe 27->44         started        signatures8 process9 dnsIp10 54 36.89.79.127, 443, 49802, 49823 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 33->54 56 36.94.167.167, 443, 49803, 49824 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 33->56 62 18 other IPs or domains 33->62 46 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 33->46 dropped 48 C:\Users\user\AppData\...\Login Data.bak, SQLite 33->48 dropped 50 C:\Users\user\AppData\Local\...\History.bak, SQLite 33->50 dropped 52 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 33->52 dropped 80 Tries to harvest and steal browser information (history, passwords, etc) 33->80 58 5.152.175.57, 443, 49754 SKYLOGIC-ASIT Spain 42->58 60 181.129.167.82, 443, 49738, 49743 EPMTelecomunicacionesSAESPCO Colombia 42->60 64 6 other IPs or domains 42->64 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 18:13:09 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
TrickBot
03b58de7881d04ca77d4e7473b5876b5b648f7366cd25b7f9bad4b851c22f201
TrickBot
0dd6adc7f40fac5c8268853f41a248996fc4554f227bf6486e5261e506b0c876
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
c66a20d9e2351668f01bf739263433d42206f1d5302114f72497df5104063ee0
TrickBot
eb8a74d8f5a93d86a431a8a4c47d3be79ad4330d12bfbcd533338498cd9af94d
TrickBot
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
TrickBot
ff2e1604b5ab04fc43039d5f94d08073f756115b1018846a253c0ad93ed94f8b
TrickBot
+ 3'746 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob133 banker trojan
Link:
https://tria.ge/reports/210922-wts3dsddg5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
6235365fae1fcaa6e8f3343e765ef47eab65dc17d9820834a6e72b4929b275d0
MD5 hash:
b96a0c7500cdd30940f9d3b67c320318
SHA1 hash:
adbbd1371cff40c59d2f5497ab5b0988e9897e74
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0031e23-2d2d-4858-abed-0c7128596158/
Parent samples :
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
fdbbfcaac090ccd1b7ce3289ea862e5c8f0ced4318f368db0e6976df950e9706
135dfd26acc2ab044b4159e7e0da289e2c7835c4049100106a00ca7d232bddea
0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277
SH256 hash:
ba545e55228cfc740224d9e71fe535d8a61aa420bc7291e51976627c60560111
MD5 hash:
f7a03324b77866ca1f90f8997e371e4b
SHA1 hash:
9162794fefe5a8a20264a07fe8fe75c10e8894d8
Link:
https://www.unpac.me/results/b0031e23-2d2d-4858-abed-0c7128596158/
SH256 hash:
75bea7e6e72fc4fcbd5fb4bc5e4adb274b89acec08b50890212b2c4fa3586e41
MD5 hash:
8fe3f8f60b6658aec777f30282b32425
SHA1 hash:
33b2c8dd7dea6755ffadaa9e81acbea0cd620b5a
Link:
https://www.unpac.me/results/b0031e23-2d2d-4858-abed-0c7128596158/
SH256 hash:
5e1d15a0f3ce1f88516b539b6f28a210385bafc05cb4399ecd07389619d051e7
MD5 hash:
c6fc9418fb7b4b970923b1a634bd0903
SHA1 hash:
024822d0a0091823083054fb47900b8cd4a658a2
Link:
https://www.unpac.me/results/b0031e23-2d2d-4858-abed-0c7128596158/
SH256 hash:
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
MD5 hash:
ed30160772181f91ee15126bfb0756ab
SHA1 hash:
8cd435cf4c5b446e5ff5e72a56e0569da3a0d4ef
Link:
https://www.unpac.me/results/b0031e23-2d2d-4858-abed-0c7128596158/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190383/

Comments