MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
SHA3-384 hash: f53e6278733133e81e67979cb91099c9356c6669c34aac85b0d9dc0e374e0913a7dd900ecbf874344e8fabeece897048
SHA1 hash: 62b5817b5e7207860f41756f8d8c6f67181c5711
MD5 hash: 3849bff44573d4b05cfae75cf9af9c24
humanhash: lima-eight-zebra-potato
File name:3849bff44573d4b05cfae75cf9af9c24
Download: download sample
Signature TrickBot
Create hunting rule
File size:397'355 bytes
First seen:2021-08-19 07:25:54 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 89aafe32fea223936c5c233bf06df6d3 (4 x TrickBot)
ssdeep 6144:vW3hPJF9A3hAfKKC64zROB6NBbTN+qGfhI6zSRZKhoRli2fFzs:vWRRAhAfKbRO6NBbTMp/STKhoHi2fFzs
Threatray 1'529 similar samples on MalwareBazaar
TLSH T13784E062F2D600B6CDBB5AB4082F2AB2CE752D485BE44BCF2F94EA8F10375D18532355
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 dll exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180562/
Detection(s):
SecuriteInfo.com.Artemis32F0B80EB20E.6175.9223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce1690f3-d1e5-49f0-a4d6-0f76dd72b460
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835577
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468007 Sample: jOADcGL8P4 Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Found malware configuration 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 4 other signatures 2->79 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        15 UpdateNotificationMgr.exe 2->15         started        process3 process4 17 rundll32.exe 9->17         started        20 cmd.exe 1 9->20         started        22 rundll32.exe 9->22         started        24 rundll32.exe 11->24         started        signatures5 67 Writes to foreign memory regions 17->67 69 Allocates memory in foreign processes 17->69 71 Delayed program exit found 17->71 26 wermgr.exe 17->26         started        30 cmd.exe 17->30         started        32 rundll32.exe 20->32         started        34 wermgr.exe 22->34         started        36 cmd.exe 22->36         started        38 wermgr.exe 24->38         started        40 cmd.exe 24->40         started        process6 dnsIp7 55 105.27.205.34, 443, 49720 SEACOM-ASMU Mauritius 26->55 57 46.99.175.217, 443, 49717, 49719 IPKO-ASAL Albania 26->57 59 7 other IPs or domains 26->59 81 May check the online IP address of the machine 26->81 83 Writes to foreign memory regions 26->83 85 Tries to detect virtualization through RDTSC time measurements 26->85 87 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 26->87 42 svchost.exe 26->42         started        89 Allocates memory in foreign processes 32->89 44 wermgr.exe 3 32->44         started        49 cmd.exe 32->49         started        signatures8 process9 dnsIp10 61 185.56.175.122, 443, 49710, 49713 VIRTUAOPERATOR-ASPL Poland 44->61 63 182.253.210.130, 443, 49714 BIZNET-AS-APBIZNETNETWORKSID Indonesia 44->63 65 7 other IPs or domains 44->65 53 C:\Users\user\AppData\...\drjOADcGL8P4dt.dmo, PE32 44->53 dropped 91 Writes to foreign memory regions 44->91 51 svchost.exe 44->51         started        file11 signatures12 process13
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 07:26:06 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
145922b0a4d90db4438ca924535a6f058472744a29b3a4f2875846a84bd41b99
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
ff460f5b7a62a1fcd51e82bf43fc7b5264552c53e3924ffb771d7c8355a99ade
TrickBot
+ 1'519 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob122 banker trojan
Link:
https://tria.ge/reports/210819-8hywfy3h7a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
2b1486851660e075c92aa7d897d7772f09f4a28f00493af4e16d9539dd03f2d5
MD5 hash:
08a3e3e5f6ffbd21e1c997d1680329a2
SHA1 hash:
c7934cf033056c2bb41b8c632d1d09850445923f
Link:
https://www.unpac.me/results/edc90299-66f0-4b7b-95bf-cdaea292bf6d/
SH256 hash:
e18e981ed0ce0fbae5a9e779dc079912c76579f2d263b06a2ad0ae2aa9650371
MD5 hash:
1376d8eae859c63397f2b893a8aa2f41
SHA1 hash:
c528ec9eec33311caa802f0c8c348f5455f942fa
Link:
https://www.unpac.me/results/edc90299-66f0-4b7b-95bf-cdaea292bf6d/
SH256 hash:
d252d3b6a54c92fa72aca6b1f6ab8f496bf3cf8fd26b896119833049ea838a04
MD5 hash:
1247b0034cbbbe01806723a4c7e1049c
SHA1 hash:
67dd211e1fc07c6f6237919981c4e9567d35bc05
Link:
https://www.unpac.me/results/edc90299-66f0-4b7b-95bf-cdaea292bf6d/
SH256 hash:
607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2
MD5 hash:
b3de5e4b04465abeff5029931234f2b4
SHA1 hash:
341533cf70a4f74f3bf9313ba9570d7930bb2f9b
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/edc90299-66f0-4b7b-95bf-cdaea292bf6d/
Parent samples :
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
9c8e26bdf89634254162a5529bd2c8c3bc4c2215be3d7cb39a47fcd0327c045d
SH256 hash:
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
MD5 hash:
3849bff44573d4b05cfae75cf9af9c24
SHA1 hash:
62b5817b5e7207860f41756f8d8c6f67181c5711
Link:
https://www.unpac.me/results/edc90299-66f0-4b7b-95bf-cdaea292bf6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180562/

Comments


Avatar
zbet commented on 2021-08-19 07:25:55 UTC

url : hxxp://91.92.109.16/images/redtank.png