MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1
SHA3-384 hash: cfcde69ec9d92a9b62cf3030593b05c0b3dfce12335ceccb1ef7fe0261c7bedd3bd35b9e6c11e84b12b505b97d7ff1e0
SHA1 hash: a9eb4b32cd4ecca0dbb1f71b6cc87dc174f380cf
MD5 hash: dfbfed5b80717aae90669e3c761ffa35
humanhash: mike-edward-lamp-pasta
File name:dfbfed5b80717aae90669e3c761ffa35.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:528'384 bytes
First seen:2021-07-16 13:28:34 UTC
Last seen:2021-07-16 14:42:16 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9646f8d9906f1ec39cfd7388ea0616e5 (2 x TrickBot)
ssdeep 12288:VE2DFZrTO3Xv3jLOBWTNvFD1VeubeMl2005W7eQT:VrrTO3/3WwZv91VeAlXw
Threatray 842 similar samples on MalwareBazaar
TLSH T1BEB4CF127D90C436D7AF03B08D631B7B52B9B8007B79C98B6BBC8E4E1E7585C8635297
Reporter abuse_ch
Tags:dll sat2 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172211/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.gen.6132.11493.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7704dff-36ac-44ae-93e5-ac61dd029abc
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/817492
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449903 Sample: HocVKWxT9F.dll Startdate: 16/07/2021 Architecture: WINDOWS Score: 80 57 51.52.17.84.dnsbl-1.uceprotect.net 2->57 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Found malware configuration 2->85 87 Yara detected Trickbot 2->87 10 loaddll32.exe 1 2->10         started        13 rundll32.exe 2->13         started        15 regsvr32.exe 2->15         started        signatures3 process4 signatures5 89 Writes to foreign memory regions 10->89 91 Allocates memory in foreign processes 10->91 17 regsvr32.exe 10->17         started        20 rundll32.exe 10->20         started        22 cmd.exe 1 10->22         started        24 3 other processes 10->24 process6 dnsIp7 79 Writes to foreign memory regions 17->79 81 Allocates memory in foreign processes 17->81 27 wermgr.exe 17->27         started        31 cmd.exe 17->31         started        33 wermgr.exe 20->33         started        35 cmd.exe 20->35         started        37 rundll32.exe 22->37         started        59 185.81.51.44, 443, 49761 VIA-SMSLV Latvia 24->59 61 38.110.100.104, 443, 49742, 49758 BELAIR-TECHNOLOGIESCA United States 24->61 63 10 other IPs or domains 24->63 39 iexplore.exe 5 148 24->39         started        41 cmd.exe 24->41         started        signatures8 process9 dnsIp10 65 148.235.154.164, 443, 49779 UninetSAdeCVMX Mexico 27->65 67 24.162.214.166, 443, 49771, 49774 TWC-11427-TEXASUS United States 27->67 73 16 other IPs or domains 27->73 93 Writes to foreign memory regions 27->93 95 Tries to detect virtualization through RDTSC time measurements 27->95 97 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 27->97 43 cmd.exe 27->43         started        69 60.51.47.65, 443, 49755, 49766 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 33->69 71 38.110.103.113, 443, 49741 BELAIR-TECHNOLOGIESCA United States 33->71 75 8 other IPs or domains 33->75 45 cmd.exe 33->45         started        99 Allocates memory in foreign processes 37->99 47 wermgr.exe 37->47         started        49 cmd.exe 37->49         started        77 10 other IPs or domains 39->77 51 conhost.exe 41->51         started        signatures11 process12 process13 53 conhost.exe 43->53         started        55 conhost.exe 45->55         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 13:29:08 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3kvdbzecaohsbjvjulyllxxj4x26ayue46woujatvisv2dtg2xiq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
71d6a3e4db25151e59c23acc14aec238875943f5b99fc170162d78b044ffec3f
TrickBot
970fe530e3eaa88b4ae4e9cfff4d911874ab45c7e8026522d89a8f97632a5726
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859
TrickBot
e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
+ 832 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat2 banker trojan
Link:
https://tria.ge/reports/210716-qsyqz6sv96/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
710e9acda27a151378430a87320ebd3bd6d77c7dcaabc57f3414d6d27ad90e35
MD5 hash:
036fa39cb9ba5a9958fab0f7e4c23ef7
SHA1 hash:
afa461acf5efd6828742caa5eba6464245317f52
Link:
https://www.unpac.me/results/2f3f35ec-66c6-444d-8a41-a49852281f9b/
SH256 hash:
975a471e7fc9b0b20c4a569dc8efa952cd368ba6e97e9264604b72296eb058c3
MD5 hash:
06c9a03fb11c392bd66bcbaf63f72578
SHA1 hash:
aa5a844332f2bc67a98690d6d2823e0c8a5af49d
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f3f35ec-66c6-444d-8a41-a49852281f9b/
Parent samples :
daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1
a44afa0907b48e04657561e24ca6e009777c607827d08086dff676b1249b9de9
SH256 hash:
3d718f4f2603c3370d60f355806955069c45814620b140abef9b1b2e8052154d
MD5 hash:
11bb5785995c25b3c4640df50e73953a
SHA1 hash:
2ff6450590a47538c8004948207c3510b2902165
Link:
https://www.unpac.me/results/2f3f35ec-66c6-444d-8a41-a49852281f9b/
SH256 hash:
478a0c49e58830ffc0da0332d9053104e575f0c71c2ee048dbaf22f07054b28b
MD5 hash:
d5cb6100cfdd1a5ec7741b10517fc740
SHA1 hash:
25bd11e64af7ed3587599a1d162f5eafa9d8c564
Link:
https://www.unpac.me/results/2f3f35ec-66c6-444d-8a41-a49852281f9b/
SH256 hash:
daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1
MD5 hash:
dfbfed5b80717aae90669e3c761ffa35
SHA1 hash:
a9eb4b32cd4ecca0dbb1f71b6cc87dc174f380cf
Link:
https://www.unpac.me/results/2f3f35ec-66c6-444d-8a41-a49852281f9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll daaa30e482038f20a6a9a2f0b5dee9e5f5e06284e7acea2413aa255d0e66d5d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1459189/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172211/

Comments