MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859
SHA3-384 hash: eeae9699bca92426d54de974c4593f2373ebdd319e26969b38bfba03efc08e3392a3c02d32d1a7dfec1f2d726925ea06
SHA1 hash: 98aca1c1d6442a8b5b6c3200e429a5aead16f03a
MD5 hash: 05109b470054300ba8d5d60a5d4fe532
humanhash: pasta-robin-muppet-tennessee
File name:triage_dropped_file
Download: download sample
Signature TrickBot
Create hunting rule
File size:808'448 bytes
First seen:2021-07-12 16:36:38 UTC
Last seen:2021-07-12 23:00:36 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d0e9553bc3f533d54a171f6db9ddfec3 (1 x TrickBot)
ssdeep 12288:ZeNriJlv3ZbBwpGdTJPjUByzWNgIL01VQOYBzJPUDMVLsVdLAuCphl8FlqE:NlZjE+WNgIUQ3VVA7BCph2FlqE
Threatray 807 similar samples on MalwareBazaar
TLSH T10D05BE10B381E036E1BF217149A9976966AC6E308B34D1DBB7C49E7E5F712C2AE34317
Reporter malwarelabnet
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171171/
Detection(s):
SecuriteInfo.com.generic.ml.21457.21496.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b34a6af-958f-47e5-956f-44d0ff5c0d49
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815050
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447461 Sample: triage_dropped_file Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Yara detected Trickbot 2->67 69 Sigma detected: CobaltStrike Load by Rundll32 2->69 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 rundll32.exe 9->13         started        16 cmd.exe 1 9->16         started        18 rundll32.exe 9->18         started        signatures5 83 Writes to foreign memory regions 13->83 85 Allocates memory in foreign processes 13->85 20 wermgr.exe 13->20         started        24 cmd.exe 13->24         started        26 rundll32.exe 16->26         started        28 wermgr.exe 18->28         started        30 cmd.exe 18->30         started        process6 dnsIp7 57 148.235.154.164, 443, 49725, 49743 UninetSAdeCVMX Mexico 20->57 59 60.51.47.65, 443, 49709, 49724 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 20->59 61 7 other IPs or domains 20->61 73 Hijacks the control flow in another process 20->73 75 May check the online IP address of the machine 20->75 77 Writes to foreign memory regions 20->77 81 2 other signatures 20->81 32 cmd.exe 11 20->32         started        37 cmd.exe 1 20->37         started        79 Allocates memory in foreign processes 26->79 39 wermgr.exe 26->39         started        41 cmd.exe 26->41         started        signatures8 process9 dnsIp10 53 12.23.113.88, 443, 49745 ATT-INTERNET4US United States 32->53 55 85.187.252.141, 443, 49744 ABINTER-ASBG Bulgaria 32->55 47 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 32->47 dropped 49 C:\Users\user\AppData\...\Login Data.bak, SQLite 32->49 dropped 51 C:\Users\user\AppData\Local\...\History.bak, SQLite 32->51 dropped 71 Tries to harvest and steal browser information (history, passwords, etc) 32->71 43 conhost.exe 32->43         started        45 conhost.exe 37->45         started        file11 signatures12 process13
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 16:37:07 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ik2uqga4ujlovrmvvg6lmdzbwepvsx433z7qbeewcffbugepbmq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22
TrickBot
1b4dc75e64b5c252b762bf6e368e70bd4dc2b6c069953c158123cbbb3c49e989
TrickBot
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
26f3b97dfdcffc516a890f5e0bd3539c63603c26bea8298e7376ab9f9b53433a
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 797 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob106 banker trojan
Link:
https://tria.ge/reports/210712-7f27eg4j16/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
676c815319d9215b847a6d0d77e051b97173a7b3d7de5aa2df2e68abee3ac185
MD5 hash:
c3bc2dc58c71a082c716e74da3027b3b
SHA1 hash:
b0440e8e6afc12e477f260146aa70601a21b74a0
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2344888b-f735-4508-a397-5ccbf4d259bf/
SH256 hash:
ac1f1d28890903017fc689f705ec68203808d575267db91b87bdf76722a0ea1f
MD5 hash:
c9a736ee57219809246644740e339649
SHA1 hash:
ae82e2725a93e3233d0e4e0162a04eba1b3a6617
Link:
https://www.unpac.me/results/2344888b-f735-4508-a397-5ccbf4d259bf/
SH256 hash:
0faa4b8969a32aba00ee003f7d24a1d97b3086cb02c6ce56a8fda388ef7c16fa
MD5 hash:
fe0926ae0d52bedb8a04ebed30a2c4f4
SHA1 hash:
41fd85aa06c824a34279a1f5f1582bfc7d62092e
Link:
https://www.unpac.me/results/2344888b-f735-4508-a397-5ccbf4d259bf/
SH256 hash:
8cb66a0c5c89a2d0194975835dfa0d1b76e5b11623764b9a09edef79f8d9bdef
MD5 hash:
21792f0986d747671a5d5f22612f08b7
SHA1 hash:
163d16c17d0d1986ade69e5e5f698c76406163e3
Link:
https://www.unpac.me/results/2344888b-f735-4508-a397-5ccbf4d259bf/
SH256 hash:
d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859
MD5 hash:
05109b470054300ba8d5d60a5d4fe532
SHA1 hash:
98aca1c1d6442a8b5b6c3200e429a5aead16f03a
Link:
https://www.unpac.me/results/2344888b-f735-4508-a397-5ccbf4d259bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/171171/
  
URLhaus
https://urlhaus.abuse.ch/url/1449686/
  
Delivery method
Distributed via web download

Comments