MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf4ae4ae2f499398bfc9a03fcded6b5cfc215f03b67d1a8fbd8af3f3cb5e91c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf4ae4ae2f499398bfc9a03fcded6b5cfc215f03b67d1a8fbd8af3f3cb5e91c5
SHA3-384 hash: f18294805d0199f1723c6f13a850fa9174b2cc2932228d0eac654ad1769f880eed0a4c655fa22937cdf4b88d70f5ae5c
SHA1 hash: 4449d60713c1797eea9376ea4301704d71afcb89
MD5 hash: 67b8974e1fe85aac790c676170db5991
humanhash: spring-zebra-three-winner
File name:1.php
Download: download sample
Signature TrickBot
Create hunting rule
File size:638'976 bytes
First seen:2021-07-20 15:09:15 UTC
Last seen:2021-07-20 15:53:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash fbda6f22afa946e323789b22e60777ab (2 x TrickBot)
ssdeep 12288:YMfVCq3EuoWyae8sOTT/Fe6PJIaVE++5gJONjPi:JfVCAc8sOTT/FeEtVu5gOPi
Threatray 842 similar samples on MalwareBazaar
TLSH T173D4E1417AD180B3D65E123249AA977FDBBAB683D930CE4BE7C8FD4A9D312415C24327
Reporter abuse_ch
Tags:dll sat2 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://162.248.225.97/1.php
http://162.248.227.35/clean.php

TrickBot C2s:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Intelligence

File Origin
# of uploads :
3
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172855/
Detection(s):
SecuriteInfo.com.generic.ml.28262.3832.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoinMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9991292e-ac38-4109-acd0-530d66b19170
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/819061
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Sigma detected: Regsvr32 Command Line Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451472 Sample: 1.php Startdate: 20/07/2021 Architecture: WINDOWS Score: 68 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Sigma detected: Regsvr32 Command Line Without DLL 2->82 10 loaddll32.exe 1 2->10         started        13 rundll32.exe 2->13         started        15 regsvr32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 signatures4 88 Writes to foreign memory regions 10->88 90 Allocates memory in foreign processes 10->90 19 regsvr32.exe 10->19         started        22 cmd.exe 1 10->22         started        24 rundll32.exe 10->24         started        26 3 other processes 10->26 process5 signatures6 84 Writes to foreign memory regions 19->84 86 Allocates memory in foreign processes 19->86 28 wermgr.exe 19->28         started        32 cmd.exe 19->32         started        34 rundll32.exe 22->34         started        36 wermgr.exe 24->36         started        38 cmd.exe 24->38         started        40 iexplore.exe 5 149 26->40         started        process7 dnsIp8 60 190.61.43.241, 443, 49773 UFINETPANAMASAPA Colombia 28->60 62 97.83.40.67, 443, 49746, 49748 CHARTER-20115US United States 28->62 68 8 other IPs or domains 28->68 92 Tries to detect virtualization through RDTSC time measurements 28->92 94 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 28->94 42 cmd.exe 28->42         started        96 Writes to foreign memory regions 34->96 98 Allocates memory in foreign processes 34->98 44 wermgr.exe 34->44         started        48 cmd.exe 34->48         started        64 185.81.51.44, 443, 49763 VIA-SMSLV Latvia 36->64 66 190.145.83.98, 443, 49767 TelmexColombiaSACO Colombia 36->66 70 6 other IPs or domains 36->70 50 cmd.exe 36->50         started        72 8 other IPs or domains 40->72 signatures9 process10 dnsIp11 52 conhost.exe 42->52         started        74 170.238.117.187, 443, 49769 America-NETLtdaBR Brazil 44->74 76 60.51.47.65, 443, 49747, 49764 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 44->76 78 8 other IPs or domains 44->78 100 Writes to foreign memory regions 44->100 54 cmd.exe 44->54         started        56 conhost.exe 50->56         started        signatures12 process13 process14 58 conhost.exe 54->58         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf4ae4ae2f499398bfc9a03fcded6b5cfc215f03b67d1a8fbd8af3f3cb5e91c5/
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
250d4fb488729b671611e96c8801875221b5086aa44562acd2b6a56488ca8150
TrickBot
430efdb79d9d0560d74c99566671d064f93746e4162fc8c492a5b023ac6c0442
TrickBot
6ac9af13a02c781f20484c344a61f47c1988b93f99786fcb93042678ac7be760
TrickBot
82ee229f96371decb519948d2b1cffdccb39859fca84909032acef7da5bd0093
TrickBot
970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726
TrickBot
c3f153bb4b44d9e0cb3cab0bf7eed03b8eea280b97756937dedbe74c7013a3d3
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
dea612148b5f17340638f8d3939c519013c5e28eb1aaacc2c026a1cbb885314b
TrickBot
ef59cf16bcd6d9d4da6595b18b4f874da6acfe6893773260af17fc34b58f3ad0
TrickBot
+ 832 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat2 banker trojan
Link:
https://tria.ge/reports/210720-hj8w8bw5la/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
3360a86e97c8c2000ccb498df553913f20003aa1ee3fe51ae297e1d2da94bf78
MD5 hash:
dffdfb8b5294e9c1597644dd6c2db782
SHA1 hash:
367e76bff641e887977e0bc0b9bcb695b9d56ec7
Link:
https://www.unpac.me/results/943ead6f-dbc8-4d3f-b359-71e77909adaf/
SH256 hash:
ff18806e767c6d70e7069674e80acc70b5e9bdf3b0b110bb4446dd8b9ee50338
MD5 hash:
499cfdec9741133219d7262856536b56
SHA1 hash:
12b3f2e70c750f4be1b2a18f4957d5256f2e4ac4
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/943ead6f-dbc8-4d3f-b359-71e77909adaf/
SH256 hash:
bf4ae4ae2f499398bfc9a03fcded6b5cfc215f03b67d1a8fbd8af3f3cb5e91c5
MD5 hash:
67b8974e1fe85aac790c676170db5991
SHA1 hash:
4449d60713c1797eea9376ea4301704d71afcb89
Link:
https://www.unpac.me/results/943ead6f-dbc8-4d3f-b359-71e77909adaf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf4ae4ae2f499398bfc9a03fcded6b5cfc215f03b67d1a8fbd8af3f3cb5e91c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xlsm 41b7544d4b5ccdda8eea4ac8a7d7204d157301e87a41756cddbf8b451699338c

TrickBot

DLL dll bf4ae4ae2f499398bfc9a03fcded6b5cfc215f03b67d1a8fbd8af3f3cb5e91c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/browse/tag/sat2/
  
Dropped by
SHA256 41b7544d4b5ccdda8eea4ac8a7d7204d157301e87a41756cddbf8b451699338c
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172855/

Comments