MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
SHA3-384 hash: 903c67aca45ad2982ec7b96eaf28f212fd04856d9086c9007fa05acc773f1f673fd20472dc15c3b7a6649e36d0cea78d
SHA1 hash: ae9996b5073d7e3486671577496a193ebb86da87
MD5 hash: 3f25698d3d910316f3ec2a7305369166
humanhash: pip-ohio-diet-fillet
File name:d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
Download: download sample
Signature TrickBot
Create hunting rule
File size:714'752 bytes
First seen:2021-07-08 13:11:12 UTC
Last seen:2021-07-08 13:48:48 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7cd24df33ed3937cbe89f157c52af627 (1 x TrickBot)
ssdeep 12288:iMi/XYchVvkJiSA0aVEE72PbnF1dvierYhZ/faplM9VVEKbVW:iMQoc3vkoSAxS3ZvnplYVVEKRW
Threatray 3'360 similar samples on MalwareBazaar
TLSH T176E4AF117781C035C16E3230450BE77966EDACB09EB987476FE42A7F2F746C29A3861B
Reporter Anonymous
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170447/
Detection(s):
SecuriteInfo.com.LresultFromObject.27621.16876.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38d80eaa-afdd-4657-a05b-ec380eb2bf29
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813495
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445906 Sample: ve88CBNzQZ Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 2 other signatures 2->71 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 61 Writes to foreign memory regions 16->61 63 Allocates memory in foreign processes 16->63 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 55 148.235.154.164, 443, 49766 UninetSAdeCVMX Mexico 23->55 57 24.162.214.166, 443, 49742, 49747 TWC-11427-TEXASUS United States 23->57 59 9 other IPs or domains 23->59 75 May check the online IP address of the machine 23->75 77 Writes to foreign memory regions 23->77 79 Tries to detect virtualization through RDTSC time measurements 23->79 81 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->81 35 cmd.exe 1 23->35         started        83 Allocates memory in foreign processes 29->83 37 wermgr.exe 29->37         started        41 cmd.exe 29->41         started        signatures8 process9 dnsIp10 43 conhost.exe 35->43         started        49 190.144.10.242, 443, 49746 TelmexColombiaSACO Colombia 37->49 51 60.51.47.65, 443, 49736, 49743 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 37->51 53 9 other IPs or domains 37->53 73 Writes to foreign memory regions 37->73 45 cmd.exe 1 37->45         started        signatures11 process12 process13 47 conhost.exe 45->47         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 13:12:07 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hpsfo7edzs2owvpeap4j3i5lsqovj4pde5jt2zainyg4jvl7rea._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
083424f93427a47fe75c914dcf71091226bd598a0ce512dccd01cb0b5d48c918
TrickBot
1161c095c63b3b47494043acf049d9803b6cf13a453af90f6ed415d1e357291c
TrickBot
26f3b97dfdcffc516a890f5e0bd3539c63603c26bea8298e7376ab9f9b53433a
TrickBot
3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
TrickBot
437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528
TrickBot
507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4
TrickBot
896b649c68a4c744c0bcab8c1918732ef1c82bb51ffaea777d3035867bd2787a
TrickBot
b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc
TrickBot
+ 3'350 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob104 banker trojan
Link:
https://tria.ge/reports/210708-pn8grvk3ja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
67fc08e17f499f398075cb5a0291f546a8ab2182c444b4338a91e5eb41d500f4
MD5 hash:
001d117c100a557ddc86c1c3b84d2024
SHA1 hash:
ee90c22009842031d539011f8dbe164490619708
Link:
https://www.unpac.me/results/c3bc1aa2-46bf-4f03-83ae-e35f21bcc80e/
SH256 hash:
f4112832a91c11b00c916417ad5c7663ad49aee8ed35acd841fd731b7681599d
MD5 hash:
2b67f0f4e5c30b37b3bbc3947dfe28f4
SHA1 hash:
cd3a5f1ebc8c55b17761e54c8cedb98b37484508
Link:
https://www.unpac.me/results/c3bc1aa2-46bf-4f03-83ae-e35f21bcc80e/
SH256 hash:
c2b4c6741f1a67575aa9cf8b9688d3a45b7b7cb73878edb0420bf43a8c918d06
MD5 hash:
304b0095ef58f9b5f702bf197aae169e
SHA1 hash:
1f6874319cf7d4268abf529834c9ee216e48c6cb
Link:
https://www.unpac.me/results/c3bc1aa2-46bf-4f03-83ae-e35f21bcc80e/
SH256 hash:
cb2aee66304a14679ad7ae5bbbdb641e934f5261d053c2c274e5b6bb55c53266
MD5 hash:
3e39197c7928ae61586f54137fe02d89
SHA1 hash:
1d178b6a289e600575bdb637359a39858ad392f2
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c3bc1aa2-46bf-4f03-83ae-e35f21bcc80e/
SH256 hash:
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
MD5 hash:
3f25698d3d910316f3ec2a7305369166
SHA1 hash:
ae9996b5073d7e3486671577496a193ebb86da87
Link:
https://www.unpac.me/results/c3bc1aa2-46bf-4f03-83ae-e35f21bcc80e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170447/

Comments