MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
SHA3-384 hash: e776c0022a81c794e802d728cb25011c69e3fc68f4ef87181ab9bfd36782a89e3a4309abf1fec5dec1c8b6e011df7952
SHA1 hash: f7233d983272e37c5c74949dafbb07ff767b8bf7
MD5 hash: 7c44e0a43e508476eda5f699d39a0c7f
humanhash: missouri-bluebird-mango-neptune
File name:dHAfdxR.img
Download: download sample
Signature TrickBot
Create hunting rule
File size:671'744 bytes
First seen:2021-08-05 15:59:08 UTC
Last seen:2021-08-05 16:50:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8b7fb8fc4de24822c3d2cd067d85f8ec (1 x TrickBot)
ssdeep 12288:5bjfhtlWxycV80o3xKA3cHfnoEQOuG/ENYIm8MxxO9qrcOJz8:5bj9ZcG0CxKA3cHPoEQRjNXNYxtnF
Threatray 948 similar samples on MalwareBazaar
TLSH T18CE4CF20B6E4813AD5BE36341A673F2452F5FCB0197AC683F7C4993F69336414A2772A
dhash icon 71b519d4c7576333 (2 x TrickBot)
Reporter abuse_ch
Tags:3362289 dll exe fake img rob120 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://colegasonline.com/excel.php
http://colegasonline.com/dHAfdxR.img

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin
# of uploads :
3
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176734/
Detection(s):
SecuriteInfo.com.UDS.Trojan-Banker.Win32.Trickster.gen.11687.13491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/822d0f7c-5581-400d-8e2d-f65e0dd104b9
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827500
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459929 Sample: dHAfdxR.img Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 4 other signatures 2->74 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 rundll32.exe 9->13         started        16 rundll32.exe 9->16         started        18 cmd.exe 1 9->18         started        signatures5 86 Writes to foreign memory regions 13->86 88 Allocates memory in foreign processes 13->88 20 wermgr.exe 3 13->20         started        25 cmd.exe 13->25         started        27 wermgr.exe 16->27         started        29 cmd.exe 16->29         started        31 rundll32.exe 18->31         started        process6 dnsIp7 62 5.152.175.57, 443, 49733 SKYLOGIC-ASIT Spain 20->62 64 ipecho.net 34.117.59.81, 49730, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->64 66 6 other IPs or domains 20->66 56 C:\Users\user\AppData\...\zfdHAfdxRtv.grf, PE32 20->56 dropped 78 Hijacks the control flow in another process 20->78 80 May check the online IP address of the machine 20->80 82 Writes to foreign memory regions 20->82 84 2 other signatures 20->84 33 svchost.exe 13 20->33         started        38 svchost.exe 20->38         started        40 svchost.exe 20->40         started        42 svchost.exe 20->42 injected 44 cmd.exe 31->44         started        file8 signatures9 process10 dnsIp11 58 45.230.176.157, 443, 49740, 49750 NetMontesTelecomunicacoeseServicosLtdaBR Brazil 33->58 60 63.147.234.198, 443, 49741, 49751 DC7US United States 33->60 48 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 33->48 dropped 50 C:\Users\user\AppData\...\Login Data.bak, SQLite 33->50 dropped 52 C:\Users\user\AppData\Local\...\History.bak, SQLite 33->52 dropped 54 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 33->54 dropped 76 Tries to harvest and steal browser information (history, passwords, etc) 33->76 46 cmd.exe 38->46         started        file12 signatures13 process14
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 16:00:07 UTC
File Type:
PE (Dll)
Extracted files:
28
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6a22nb5z2fvcskb77khk5vxryblihbdv3ezd7k2jcwqbrt23fba._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0add7ef3e57fd9a619be1befd6df759a53b53952c4c2b4a10facdddedcc5174c
TrickBot
5c3106248f206daef2fe467eb407f898d04b3fa5e69ce8ffb13d5d5726dd8e38
TrickBot
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
TrickBot
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad
TrickBot
cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
TrickBot
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
TrickBot
+ 938 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob120 banker trojan
Link:
https://tria.ge/reports/210805-jsfc9lnrd6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
ff33a9ed8fbbc95cf9d20e1e8798c27ab07be69e76411b430c991285b03f1f47
MD5 hash:
53255326d92a57a956a9addcdfef6c86
SHA1 hash:
b9f3b7146590551ffde93de03a6156c87f09ad21
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/0cca67e8-fc16-46df-ae47-4d52b9434e35/
Parent samples :
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
SH256 hash:
f0cd6c49e7afe877f2351a00e9b5cdb5fe39053d912940aa0825f7903372876c
MD5 hash:
7eaf2441e9508dff4c89e1557cbdb166
SHA1 hash:
61e414671292c73dd7b513616d72c040178125e0
Link:
https://www.unpac.me/results/0cca67e8-fc16-46df-ae47-4d52b9434e35/
SH256 hash:
03f3694e08f743f5dfcb56e4300fc3b6af1de82122b6d9054d7d2d3b1d607818
MD5 hash:
e35d2c7e9baad827049d090994840086
SHA1 hash:
40cc4637fd3b6fc98c1bbb66fc46b3bafd9b52ea
Link:
https://www.unpac.me/results/0cca67e8-fc16-46df-ae47-4d52b9434e35/
SH256 hash:
d4831f579404ce1ce827ffe32cce94248492c9f92761f0c0371b09e3e7af5742
MD5 hash:
c166f53963f2506041d181a133fb6779
SHA1 hash:
2f5e652b784afe394c0ca2f71d4efe129b9e8378
Link:
https://www.unpac.me/results/0cca67e8-fc16-46df-ae47-4d52b9434e35/
SH256 hash:
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
MD5 hash:
7c44e0a43e508476eda5f699d39a0c7f
SHA1 hash:
f7233d983272e37c5c74949dafbb07ff767b8bf7
Link:
https://www.unpac.me/results/0cca67e8-fc16-46df-ae47-4d52b9434e35/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bf81ad343dce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Java Script (JS) js 5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58

TrickBot

DLL dll bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/host/colegasonline.com/
  
Dropped by
SHA256 5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58
  
Dropped by
MD5 180da095d8555127d0b820955514e835
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176734/
  
URLhaus
https://urlhaus.abuse.ch/url/1508718/

Comments