MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
SHA3-384 hash:	70775e70d130168165a4f2da0b78d4b2639374570398191a5530fa62809b181ee75c46827d61a17e51ed9a13706b2a3f
SHA1 hash:	905a13957f196b48bbd3d2c6876d3e76d8ac1119
MD5 hash:	2e6fcdc4bb4622a80f70db990a217718
humanhash:	october-three-avocado-cardinal
File name:	2e6fcdc4bb4622a80f70db990a217718.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	557'056 bytes
First seen:	2021-07-22 08:02:13 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	f3deb6209dc9c95daaecc9f849af840f (12 x TrickBot)
ssdeep	6144:6nhWubOStZ6AbgmgwLp3gUhWeGt4OPc/woVPHma1MXohuPATdTpNSTrbkYW412ph:6nTltgBNwxgUXd/DGaXhu45pI3rep
Threatray	866 similar samples on MalwareBazaar
TLSH	T172C4CF2235E08577C4EF12345E667778A3FBBD946BF2C147679A890C6D339028B22327
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	abuse_ch
Tags:	dll rob109 TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

n/a

Vendor Threat Intelligence

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/173257/

Detection(s):

SecuriteInfo.com.Trojan-Spy.TrickBot.9984.29939.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

TrickBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4db1e32-4b5e-47a6-bae3-8adeefa309ef

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-07-21 18:37:26 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

TrickBot

7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1

TrickBot

8eb708fb8f044596b841b47c2d75f6c02f878f5685b75008084c70752b961d15

TrickBot

d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c

TrickBot

d4d87a208df0ba460ccc94d8b7c62e223e4f0a18fa2b799f13ab5ee70f3c2e6c

TrickBot

dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed

TrickBot

fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26

TrickBot

fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee

TrickBot

+ 856 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob109 banker trojan

Link:

https://tria.ge/reports/210722-sq4p3ces3j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Unpacked files

SH256 hash:

938812d5f46ffe93c903743719992f2b63a8bfdd619adbb85a88137e9ed28330

MD5 hash:

59509d380c2b8dc8babc705bd262e749

SHA1 hash:

e65a7e2026e1af085ff3e80f9486ef3bc5cc1f00

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/a4b3e27a-1265-4e6e-a70d-4ab55f463e31/

Parent samples :

dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed
d4d87a208df0ba460ccc94d8b7c62e223e4f0a18fa2b799f13ab5ee70f3c2e6c
7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1
1c8a67342a601e649f56e32383fecea6d62036a38a7edd2991bfd0e3323fd5f4
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
9da8a5a0b5957db6112e927b607a8fd062b870f2132c4ae3442eb63235f789e1
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
7c19373d58728b0e1b36cf30af5dca5eb5975acaaf2b8b0eeac0f87a4f82ce06
ab31cadce548ff34783ae6a838a3ece8484f4c96b02de8c9b314c0f96c064ab7

SH256 hash:

7429e3e9681fdfebc8210a744a9e41c7ad849f7af0c611ee4c272a67cbd44251

MD5 hash:

8c1a2825ab2da0ef39175720516294ca

SHA1 hash:

bdba87361cabe6814d5be5c0bb60b68f29b6e98a

Link:

https://www.unpac.me/results/a4b3e27a-1265-4e6e-a70d-4ab55f463e31/

SH256 hash:

59fc89c6cc4e85280791ab15e2e63e64fa4fd971bb57c0e266969bb2dbd9bc9a

MD5 hash:

dade50b747b1edd25607b2a6e7caa31a

SHA1 hash:

4d78b173bfd5bdf95d687c3bdfa3f8218e342bf4

Link:

https://www.unpac.me/results/a4b3e27a-1265-4e6e-a70d-4ab55f463e31/

SH256 hash:

8ec4c1b7bd6dc445b04d8d93740bcc72ee3ea94316e321c9fc7b5d77bfd314d5

MD5 hash:

9b49ff370e20a1581da344390b5a1d94

SHA1 hash:

085dd34e7281f8669a1e94001167cecd6c2be741

Link:

https://www.unpac.me/results/a4b3e27a-1265-4e6e-a70d-4ab55f463e31/

SH256 hash:

cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20

MD5 hash:

2e6fcdc4bb4622a80f70db990a217718

SHA1 hash:

905a13957f196b48bbd3d2c6876d3e76d8ac1119

Link:

https://www.unpac.me/results/a4b3e27a-1265-4e6e-a70d-4ab55f463e31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1469126/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/173257/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

Comments

Login required