MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc
SHA3-384 hash: 0c5fe59d6066e018c77b410b022d2b21d0dc1ecc5a8b08fa9132cd0464ecef69d9eb5bbbd17a7d2a330db2e9f54cb6ae
SHA1 hash: 26fa4dd1e880a8a7710177c85739c0c967e8062c
MD5 hash: 8871814a59bff5b10453fb4537525be7
humanhash: oscar-georgia-enemy-edward
File name:trickBot_00DA0000.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:228'050 bytes
First seen:2021-08-20 01:57:29 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1f6199c52a5d3ffac2a25f6b3601dd22 (2 x TrickBot)
ssdeep 6144:PWaOlBRTZp7dbuyQsacSebDUvg+XiwNSskRvM588aLi2:wBR1pRbGcSecICSskZM5e
Threatray 1'286 similar samples on MalwareBazaar
TLSH T16E24126BA81206B7D3E322F6C4F7087D54681B984344A6E706E81ED45FE78E53E3AC53
Reporter aaqeel87
Tags:dll TrickBot unpacked


Avatar
aaqeel87
unpacked Trickbot 19 Aug 2021

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180825/
Detection(s):
Win.Keylogger.Emotet-9774533-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a51b30a-0497-4285-b9f5-5dc3b9d0a2a0
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836140
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468567 Sample: trickBot_00DA0000.dll Startdate: 20/08/2021 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Found malware configuration 2->84 86 Antivirus detection for dropped file 2->86 88 8 other signatures 2->88 9 loaddll32.exe 1 2->9         started        12 rundll32.exe 2->12         started        process3 signatures4 98 Writes to foreign memory regions 9->98 100 Allocates memory in foreign processes 9->100 14 cmd.exe 1 9->14         started        16 wermgr.exe 9->16         started        20 cmd.exe 9->20         started        22 rundll32.exe 12->22         started        process5 dnsIp6 24 rundll32.exe 14->24         started        60 128.201.76.252, 443, 49714, 49716 PedroFArrudaJuniorMEBR Brazil 16->60 62 216.166.148.187, 443 CYBERNET1US United States 16->62 64 9 other IPs or domains 16->64 72 May check the online IP address of the machine 16->72 74 Writes to foreign memory regions 16->74 76 Tries to detect virtualization through RDTSC time measurements 16->76 78 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 16->78 27 svchost.exe 16->27         started        80 Allocates memory in foreign processes 22->80 29 wermgr.exe 22->29         started        31 cmd.exe 22->31         started        signatures7 process8 signatures9 94 Writes to foreign memory regions 24->94 96 Allocates memory in foreign processes 24->96 33 wermgr.exe 3 24->33         started        38 cmd.exe 24->38         started        process10 dnsIp11 66 105.27.205.34, 443, 49708 SEACOM-ASMU Mauritius 33->66 68 46.99.175.217, 443, 49702, 49707 IPKO-ASAL Albania 33->68 70 7 other IPs or domains 33->70 50 C:\Users\user\...\hbtrickBot_00DA0000lp.dmo, PE32 33->50 dropped 90 Hijacks the control flow in another process 33->90 92 Writes to foreign memory regions 33->92 40 svchost.exe 5 33->40         started        44 svchost.exe 33->44         started        46 svchost.exe 1 33->46         started        48 svchost.exe 33->48         started        file12 signatures13 process14 file15 52 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 40->52 dropped 54 C:\Users\user\AppData\...\Login Data.bak, SQLite 40->54 dropped 56 C:\Users\user\AppData\Local\...\History.bak, SQLite 40->56 dropped 58 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 40->58 dropped 102 Tries to harvest and steal browser information (history, passwords, etc) 40->102 signatures16
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc/
Threat name:
Win32.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 01:58:12 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
TrickBot
336c374c048c503e3e4f6d5f3d357ca49cc5ecf0187378a3869edcc050b9d441
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
TrickBot
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
TrickBot
+ 1'276 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob124 banker trojan
Link:
https://tria.ge/reports/210820-xbde8v3962/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
5a18b52942b4d7b1b924ebf93ca839ce1d76b7702b8e5fadd5ccc63838be740a
MD5 hash:
faf9f47bb07d787e0c4d9d7d077dbba8
SHA1 hash:
bc6f9e179bc86fec6ad81839b199cfcd1701e987
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/766b9115-82ed-4ad5-b385-41f54f4705c9/
SH256 hash:
6c9849a55e14413b992a38fc884c629d7c073f59c9a577cec2440cc5109f6322
MD5 hash:
31b6b0443518dafa2866f0a8d1732f20
SHA1 hash:
37baa491cf91d664b85012bc1080da77d75cb6fb
Link:
https://www.unpac.me/results/766b9115-82ed-4ad5-b385-41f54f4705c9/
SH256 hash:
1b8e8ffe1d8f62608257bbee9b8217c21a2ed40501aa61b3f9eaca521a124a95
MD5 hash:
c5cad007b72a04dcb3cd07b6a7996c15
SHA1 hash:
27bd2a4559a4f15c937c617eb62961164b7e6ce4
Link:
https://www.unpac.me/results/766b9115-82ed-4ad5-b385-41f54f4705c9/
SH256 hash:
cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc
MD5 hash:
8871814a59bff5b10453fb4537525be7
SHA1 hash:
26fa4dd1e880a8a7710177c85739c0c967e8062c
Link:
https://www.unpac.me/results/766b9115-82ed-4ad5-b385-41f54f4705c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/210819-1kxfgvxk3n
Cape
Cape
https://www.capesandbox.com/analysis/180825/

Comments