MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386
SHA3-384 hash: a5d0032df7f2859504251651b667ae17147846ca492bf6cd7af3147e2b2d4bf45f786a749373b0aaa62e510b5025c42c
SHA1 hash: c9a49ac93d835d11da89c9da7d911bba776b5bd7
MD5 hash: 58b634247ab069f4b122b461d4a210f9
humanhash: connecticut-winner-timing-ten
File name:SecuriteInfo.com.generic.ml.4293.3775
Download: download sample
Signature TrickBot
Create hunting rule
File size:508'416 bytes
First seen:2021-03-04 18:35:17 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 9b3e66dca6abb2be6731f377cc803ec2 (1 x TrickBot)
ssdeep 12288:3W3NM1Jkop5SC1y8oNYT81u6g6cRmRzhkj:2a1Jkon9yhazW/Rzh
Threatray 1 similar samples on MalwareBazaar
TLSH FEB4CF20F5684806CCE917736CA0BFC2D5BDE3DE2F172757F9AD0689C6258B25189B83
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122336/
Detection(s):
SecuriteInfo.com.generic.ml.4293.3775.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629034
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 363487 Sample: SecuriteInfo.com.generic.ml... Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 8->17         started        signatures5 60 Writes to foreign memory regions 12->60 62 Allocates memory in foreign processes 12->62 19 wermgr.exe 12->19         started        23 wermgr.exe 12->23         started        25 iexplore.exe 1 74 15->25         started        process6 dnsIp7 32 123.231.149.123, 447, 49783 LINTASARTA-AS-APNetworkAccessProviderandInternetServic Indonesia 19->32 34 103.225.138.94, 449, 49765, 49776 DCNBSI-AS-APDCTVCableNetworkBroadbandServicesIncPH Philippines 19->34 36 4 other IPs or domains 19->36 52 Hijacks the control flow in another process 19->52 54 Writes to foreign memory regions 19->54 27 svchost.exe 19->27         started        56 Tries to detect virtualization through RDTSC time measurements 23->56 58 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->58 29 iexplore.exe 149 25->29         started        signatures8 process9 dnsIp10 38 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49760, 49761 YAHOO-DEBDE United Kingdom 29->38 40 prod.appnexus.map.fastly.net 151.101.1.108, 443, 49762, 49763 FASTLYUS United States 29->40 42 11 other IPs or domains 29->42
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 16:48:20 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
b1059d3901d7ddbd8bae644b5c5293579fa6f52eb67949d0f259f414ddb48881
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob70 banker trojan
Link:
https://tria.ge/reports/210304-n48x356v82/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
Unpacked files
SH256 hash:
88e28425eb06ff70c709c62b47e9e0ad9b8e7a9872ef231a5313bd53809dbe78
MD5 hash:
0ca2026839450a7c7d75a9b0327fa5d7
SHA1 hash:
3ab7ec4fb50301395011a802d69aa80931768d7d
Link:
https://www.unpac.me/results/483c54aa-2b42-4a0b-ab4a-ffcc00b98c73/
SH256 hash:
2ed597669e9407fa664c4fd26684a84dbb73681400d966d41185c240bcfe5051
MD5 hash:
bf6b7b0ad4d347934eb2ddb0f9b146c4
SHA1 hash:
9b65330f45273c9d750b52ec2235a414e91a72fd
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/483c54aa-2b42-4a0b-ab4a-ffcc00b98c73/
Parent samples :
b1059d3901d7ddbd8bae644b5c5293579fa6f52eb67949d0f259f414ddb48881
d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386
SH256 hash:
d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386
MD5 hash:
58b634247ab069f4b122b461d4a210f9
SHA1 hash:
c9a49ac93d835d11da89c9da7d911bba776b5bd7
Link:
https://www.unpac.me/results/483c54aa-2b42-4a0b-ab4a-ffcc00b98c73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll d9882294caa558fc01c900fe07e6d3f24acc46110bd8c2206e311139e9f13386

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1047006/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/122336/

Comments