MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63
SHA3-384 hash: 6e61ca6fa61e8872d3081f21d498d1bc0fea68986ea106b9db0e57dce93d5421a858554dc7b8bb17d25b0ab2905ee60c
SHA1 hash: 299c710f249b80580105014d4e4e9b92f32e0577
MD5 hash: 7ba23b2b6b50cfc3711362f465d926be
humanhash: texas-fish-social-sixteen
File name:mon4498.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:391'168 bytes
First seen:2021-02-12 18:42:40 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash b1499cb142564fa400e4b0c23ddfe209 (1 x TrickBot)
ssdeep 6144:fPJ2RupdW5InjhWSfLCkRQLJ93pwGWszsMuB6y4WRCk4y7hiJm:qQdZjhW8LDR2dPWcsMuB54WRb7hiJm
Threatray 101 similar samples on MalwareBazaar
TLSH BB84F20CF3EA8D90D5926AF9C568C9FE5829BC924C32D537BCCB3A1974F81944CE950E
Reporter James_inthe_box
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116947/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36327174.21511.13070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/607062
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352563 Sample: mon4498.dll Startdate: 12/02/2021 Architecture: WINDOWS Score: 60 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected Trickbot 2->31 33 Machine Learning detection for sample 2->33 8 loaddll32.exe 1 2->8         started        10 WerFault.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 regsvr32.exe 8->14         started        16 regsvr32.exe 10->16 injected process5 18 iexplore.exe 1 73 12->18         started        process6 20 iexplore.exe 157 18->20         started        dnsIp7 23 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49751, 49752 YAHOO-DEBDE United Kingdom 20->23 25 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49753, 49754 FASTLYUS United States 20->25 27 10 other IPs or domains 20->27
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 04:34:38 UTC
File Type:
PE (Dll)
Extracted files:
10
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzbnzikojdfoqoi5l4iagbfttg3qvhbzm7l3pu4ut2wtxfv2djrq._file
Verdict:
unknown
Similar samples:
2d6168e0162875170aa96e1c29da0e6f809c834b68630277569fea3f298f1bda
TrickBot
32515d546db78a132c9c6b711f816797fcb110f491aaddcb9ac86a38849c3837
TrickBot
667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83
TrickBot
7f12ab6909f7a932ee097634ab529b1e2c1f07534097785c90ff03eb9671e784
TrickBot
82f3ca41a9732e3917fbd6f2be17d58b5bbf0da2fb825a018a9ef2a225f39a13
TrickBot
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
TrickBot
9356e204a3bab01044003d58937be31f0edfae7ea5c790916178ce1a8d6173ff
TrickBot
a1793ce3ff4fbccf9fb166e705481fce5d71fa0319c376ab59efacae35d77afe
TrickBot
f4736282bb5ae752c4c46789adbc1f21c4b09676e96fee3cc31627955d962065
TrickBot
fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de
TrickBot
+ 91 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon44 banker trojan
Link:
https://tria.ge/reports/210212-g7zbgnk38a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
7b271c1ce3d56a02bee4d5b17903ebef8145faa40cf2588deaa8337246100a7e
MD5 hash:
1c0c80523301fefa1df8b96f5242cccb
SHA1 hash:
8e85920bb04dc29a4f02f030567f153b4d73d6e6
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/69e90e7f-da2e-4864-bff8-037ba0acb20a/
Parent samples :
c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63
4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c
SH256 hash:
2c24b76bb489136ebc17ab04ab2d1374e1e6e4c5313e48a861e8fecd622ea013
MD5 hash:
4b610beca973876ab93e17e3d5a017f1
SHA1 hash:
f68f84f65913396cfc24232c6afd6eb32e718fee
Link:
https://www.unpac.me/results/69e90e7f-da2e-4864-bff8-037ba0acb20a/
SH256 hash:
c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63
MD5 hash:
7ba23b2b6b50cfc3711362f465d926be
SHA1 hash:
299c710f249b80580105014d4e4e9b92f32e0577
Link:
https://www.unpac.me/results/69e90e7f-da2e-4864-bff8-037ba0acb20a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/999475/
  
URLhaus
https://urlhaus.abuse.ch/url/1001759/
  
URLhaus
https://urlhaus.abuse.ch/url/1001775/
Cape
Cape
https://www.capesandbox.com/analysis/116947/

Comments