MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b
SHA3-384 hash: 2fd985ae01e5340be4efc420cf34f82fca24c9f455802799daaac5595eb573b32776f7da56bc8d1385b51405b99f4e6b
SHA1 hash: 9024ce4825314b5d9112b2c8b7e0745d6bbc57c5
MD5 hash: ec5660120d69e62d14a6fb03e4f4483b
humanhash: jupiter-equal-victor-angel
File name:SecuriteInfo.com.ML.PE-A.26667.3627
Download: download sample
Signature TrickBot
Create hunting rule
File size:684'544 bytes
First seen:2021-11-08 22:22:27 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 17cd9f87fbb27686b2cd8f8d33695e92 (4 x TrickBot)
ssdeep 6144:1uNDZo15/Lb175yZhtHQqPm52aYYiHx/874uQYKJHD4YCYrde7:qDSHL575qLP0tKJH+1
TLSH T168E419199C3483ABF3ED21F6666C2FEE942781A055A1C03FA99D99D013747BBEC09713
Reporter SecuriteInfoCom
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203392/
Detection(s):
SecuriteInfo.com.ML.PE-A.26667.3627.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6189a348175442ca93a822a8/reports/802fef50-3b91-4b76-88ee-bdd140ed599e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bf786dd-c961-40a6-8418-da5237bb36a3
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885599
Signature
Allocates memory in foreign processes
Delayed program exit found
Found detection on Joe Sandbox Cloud Basic with higher score
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Sigma detected: UNC2452 Process Creation Patterns
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518064 Sample: SecuriteInfo.com.ML.PE-A.26... Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 62 wtfismyip.com 2->62 64 91.143.129.102.zen.spamhaus.org 2->64 66 2 other IPs or domains 2->66 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Found malware configuration 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 8 other signatures 2->90 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        signatures3 process4 process5 14 cmd.exe 1 10->14         started        16 rundll32.exe 10->16         started        19 rundll32.exe 10->19         started        21 rundll32.exe 12->21         started        signatures6 23 rundll32.exe 14->23         started        76 Writes to foreign memory regions 16->76 78 Allocates memory in foreign processes 16->78 80 Delayed program exit found 16->80 26 wermgr.exe 16->26         started        29 cmd.exe 16->29         started        31 wermgr.exe 19->31         started        33 cmd.exe 19->33         started        35 wermgr.exe 21->35         started        37 cmd.exe 21->37         started        process7 dnsIp8 92 Writes to foreign memory regions 23->92 94 Allocates memory in foreign processes 23->94 39 wermgr.exe 3 23->39         started        44 dllhost.exe 1 23->44         started        46 cmd.exe 23->46         started        74 65.152.201.203, 443, 49789, 49825 CENTURYLINK-US-LEGACY-QWESTUS United States 26->74 96 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 26->96 signatures9 process10 dnsIp11 68 46.99.175.217, 443, 49790, 49792 IPKO-ASAL Albania 39->68 70 178.253.100.164, 443, 49849, 49854 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 39->70 72 wtfismyip.com 95.217.228.176, 49791, 80 HETZNER-ASDE Germany 39->72 60 C:\...\htSecuriteInfo.com.ML.PE-A.26667hh.wrf, PE32 39->60 dropped 98 Hijacks the control flow in another process 39->98 100 Tries to harvest and steal browser information (history, passwords, etc) 39->100 102 Writes to foreign memory regions 39->102 48 svchost.exe 5 39->48         started        file12 signatures13 process14 file15 52 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 48->52 dropped 54 C:\Users\user\AppData\...\Login Data.bak, SQLite 48->54 dropped 56 C:\Users\user\AppData\Local\...\History.bak, SQLite 48->56 dropped 58 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 48->58 dropped 82 Tries to harvest and steal browser information (history, passwords, etc) 48->82 signatures16
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b/
Threat name:
Win32.Infostealer.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 22:23:06 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:soc1 banker trojan
Link:
https://tria.ge/reports/211108-2asv6sdcb2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
fcb952445e138dd50f50abe0f42d4ce2149ca82b71dfea272c6a128f0733e5d4
MD5 hash:
1876997df3b6eb6ad15aeadba62222e8
SHA1 hash:
d11ca5b0c7d0c53b378c06b3d0468e4783d3679c
Link:
https://www.unpac.me/results/4a89dac1-1417-4e92-91e8-bfe106e5c966/
SH256 hash:
e98ca956f4f94b5c8b063327a1fe27fb804bc2e52190a68c577490c3192ae663
MD5 hash:
4b535dbe595f89c3bcaa4f43cc1323a3
SHA1 hash:
4162c873be81f5aac6ca0a1ed7f84bfe86ec4262
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/4a89dac1-1417-4e92-91e8-bfe106e5c966/
Parent samples :
19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc
c8967382e53061b59cf54be076b1aa75c9dd10806e786cc745f61a3bcb7b0593
ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b
104b9976e7e50031ded3bf9532a79b45502732668f23092f33fc71cecaa79977
5190ec8f66158522da23e655a5350c5c477cdf4ddc8c64eb9306764cd72f4e2a
aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6
ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6
SH256 hash:
ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b
MD5 hash:
ec5660120d69e62d14a6fb03e4f4483b
SHA1 hash:
9024ce4825314b5d9112b2c8b7e0745d6bbc57c5
Link:
https://www.unpac.me/results/4a89dac1-1417-4e92-91e8-bfe106e5c966/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ccdc5d40766f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/203392/

Comments