MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
SHA3-384 hash:	5ef23dcbe64d41a515b04af8e6155b0abdcf2b43470cfe09244029128db4ab4a994fd4393dd18d3d4650466b6e294024
SHA1 hash:	6b4f51126c575dbf9ba264bab17b602e31c23e0d
MD5 hash:	8dcc2d557edcd14aa33dd738ea58f937
humanhash:	kitten-pennsylvania-september-fruit
File name:	rockstargarmes.pdf
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	614'400 bytes
First seen:	2021-07-29 14:51:17 UTC
Last seen:	2021-07-29 16:05:57 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	170fa18cf362a3ea8cc8edbec346f3aa (1 x TrickBot)
ssdeep	12288:gjBb925xIKt+wxNoC2NXH0tndFqvK9tZHkS1oKfqe9KS:A25xIKwlNEtdAvKjLzfES
Threatray	908 similar samples on MalwareBazaar
TLSH	T1C7D4DF03F2E0C039C1BE02343F656BA8E6F9FD605DB5DA4767C18B4E5D32941AA36726
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	abuse_ch
Tags:	dll rob116 TrickBot

abuse_ch

38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Intelligence

File Origin

# of uploads :

# of downloads :

249

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175064/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.26138.29725.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

TrickBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/90c516cb-ea0f-4474-bcb0-5b2fc802e124

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

22 / 100

Link:

https://www.joesandbox.com/analysis/823927

Signature

Initial sample is a PE file and has a suspicious name

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4/

Threat name:

Win32.Trojan.Trickpak

Status:

Malicious

First seen:

2021-07-29 14:52:04 UTC

AV detection:

12 of 27 (44.44%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

TrickBot

6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549

TrickBot

7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1

TrickBot

7e56e276f8847c9ff3973e49e005a7a76a2ce251bda01cd5ef252f9a4ae9c04e

TrickBot

848b47c55da850343ef365a367da5387673219f69ac6a0fa98a23527c886a350

TrickBot

a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401

TrickBot

faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7

TrickBot

fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be

TrickBot

+ 898 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob116 banker trojan

Link:

https://tria.ge/reports/210729-qmbl7c3wca/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

Unpacked files

SH256 hash:

b18dfe371a14f62ecb632e70409857751f62c1d4fe4134bfee6a8f12bb945889

MD5 hash:

43afbcfa56885feb90e9fc6e2daaeccd

SHA1 hash:

fe529f33bf280a62a0130438db7d60224c83cdc2

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/dc39108f-4eb0-40c7-9c23-3f9524c0336c/

Parent samples :

cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4
7c9f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d

SH256 hash:

daaff5c4176c5b00ef557747c4de8fd08a2f719f1b37f2049317a195f4941e5f

MD5 hash:

08687c1c937450199101e07d2dc7ac18

SHA1 hash:

e47b37ab53bf16190f87f191465182f5e4ca9bdd

Link:

https://www.unpac.me/results/dc39108f-4eb0-40c7-9c23-3f9524c0336c/

SH256 hash:

396ea9460e6b49f6b72f40e775eb9148fafc6b565b378d3429e2651254a87e4c

MD5 hash:

4da471445bbc62c8592113c7908688b6

SHA1 hash:

abfb23630d78909a052ac14e4ed3c8ba4312a3b1

Link:

https://www.unpac.me/results/dc39108f-4eb0-40c7-9c23-3f9524c0336c/

SH256 hash:

6579252ca0d676f188a70163e4030721c8062315450d542b15570976632cb03e

MD5 hash:

5bc54425e9325ccc584080eb0de6b96d

SHA1 hash:

53c3529481468d9e3fd2d098eba08e8bd187587a

Link:

https://www.unpac.me/results/dc39108f-4eb0-40c7-9c23-3f9524c0336c/

SH256 hash:

cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4

MD5 hash:

8dcc2d557edcd14aa33dd738ea58f937

SHA1 hash:

6b4f51126c575dbf9ba264bab17b602e31c23e0d

Link:

https://www.unpac.me/results/dc39108f-4eb0-40c7-9c23-3f9524c0336c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trickbot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

TrickBot

js 315d2734c9ba1f4faec4fa490ac8634aa69a1b1a860e1620699fd53efd61f4da

TrickBot

DLL dll cd774e6a643ce65364e57bdd6e4eea43c08ad5ac157d43d9c232e7bbdce81dd4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1490060/

Dropped by

SHA256 315d2734c9ba1f4faec4fa490ac8634aa69a1b1a860e1620699fd53efd61f4da

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/175064/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample