MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed
SHA3-384 hash: 76a2926791312cee5045d8586adc8cd8f19f7039323cfa479dcb9dde6732c9bd2927ab47dbe03786467cf38f542fd313
SHA1 hash: f41df626fe1b067dc6cf6cfe99a632c2ee6f1c66
MD5 hash: 712c24363a47abc4d4c63e38121d48b6
humanhash: fruit-nitrogen-friend-may
File name:lovemetertok.png
Download: download sample
Signature TrickBot
Create hunting rule
File size:557'056 bytes
First seen:2021-07-20 18:46:37 UTC
Last seen:2021-07-20 20:15:26 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f3deb6209dc9c95daaecc9f849af840f (12 x TrickBot)
ssdeep 6144:6nhWubOStZ6AbgmgwLp3gUhWeGtvOPc/woVPHma1MXohuPATdTpNSTrbkYW412ph:6nTltgBNwxgUXQ/DGaXhu45pI3rep
Threatray 846 similar samples on MalwareBazaar
TLSH T1ECC4CF2235E08577C4EF16345E667778A3FBBD942BF2C147679A890C6D339128B22327
Reporter abuse_ch
Tags:dll rob109 TrickBot


Avatar
abuse_ch
TrickBot payload URLs:
http://109.248.201.26/lovemetertok.php
http://142.11.195.33/images/lovemetertok.png

TrickBot C2s:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172881/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2264.23146.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b99107b-8f18-4e74-8912-15c5c6831bb0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/819181
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451590 Sample: lovemetertok.png Startdate: 20/07/2021 Architecture: WINDOWS Score: 84 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Sigma detected: CobaltStrike Load by Rundll32 2->80 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 74 Writes to foreign memory regions 16->74 76 Allocates memory in foreign processes 16->76 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 68 170.238.117.187, 443, 49721, 49726 America-NETLtdaBR Brazil 23->68 70 60.51.47.65, 443, 49716, 49720 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 23->70 72 8 other IPs or domains 23->72 86 Hijacks the control flow in another process 23->86 88 May check the online IP address of the machine 23->88 90 Writes to foreign memory regions 23->90 94 2 other signatures 23->94 35 cmd.exe 11 23->35         started        92 Allocates memory in foreign processes 29->92 40 wermgr.exe 29->40         started        42 cmd.exe 29->42         started        signatures8 process9 dnsIp10 56 5.181.80.128, 443, 49738 TELEHOUSE-ASBG Bulgaria 35->56 58 94.140.114.239, 443, 49736 NANO-ASLV Latvia 35->58 64 4 other IPs or domains 35->64 50 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 35->50 dropped 52 C:\Users\user\AppData\...\Login Data.bak, SQLite 35->52 dropped 54 C:\Users\user\AppData\Local\...\History.bak, SQLite 35->54 dropped 82 Tries to harvest and steal browser information (history, passwords, etc) 35->82 44 conhost.exe 35->44         started        60 45.36.99.184, 443, 49723, 49725 TWC-11426-CAROLINASUS United States 40->60 62 217.115.240.248, 443, 49722 MGICZMGIautonomoussystemCzechRepublicCZ Czech Republic 40->62 66 7 other IPs or domains 40->66 84 Writes to foreign memory regions 40->84 46 cmd.exe 1 40->46         started        file11 signatures12 process13 process14 48 conhost.exe 46->48         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 18:47:08 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
458844d1edad3253667e6eea0dc735a748e87ff784cbf12c80f05c15e96ec3d9
TrickBot
6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef
TrickBot
7d6688ec15f6fec19a2cc6743f3fe50f5dcf79d14f122f3ebdf844464c45abec
TrickBot
8a5ab991e0f8318707d517aee2a9a0689b5908050e17b6afce77e83544fcaaa8
TrickBot
8eb708fb8f044596b841b47c2d75f6c02f878f5685b75008084c70752b961d15
TrickBot
ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
TrickBot
f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
TrickBot
fccb8dea9ab7e194eadc863a8e7658b9076fddd4b645b4241ab5b9a33997afcc
TrickBot
+ 836 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob109 banker trojan
Link:
https://tria.ge/reports/210720-acfs94mz4j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
938812d5f46ffe93c903743719992f2b63a8bfdd619adbb85a88137e9ed28330
MD5 hash:
59509d380c2b8dc8babc705bd262e749
SHA1 hash:
e65a7e2026e1af085ff3e80f9486ef3bc5cc1f00
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/69c6a36a-eb27-472d-bfd5-760b854680d4/
Parent samples :
dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed
d4d87a208df0ba460ccc94d8b7c62e223e4f0a18fa2b799f13ab5ee70f3c2e6c
7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1
1c8a67342a601e649f56e32383fecea6d62036a38a7edd2991bfd0e3323fd5f4
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
9da8a5a0b5957db6112e927b607a8fd062b870f2132c4ae3442eb63235f789e1
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
7c19373d58728b0e1b36cf30af5dca5eb5975acaaf2b8b0eeac0f87a4f82ce06
ab31cadce548ff34783ae6a838a3ece8484f4c96b02de8c9b314c0f96c064ab7
SH256 hash:
7429e3e9681fdfebc8210a744a9e41c7ad849f7af0c611ee4c272a67cbd44251
MD5 hash:
8c1a2825ab2da0ef39175720516294ca
SHA1 hash:
bdba87361cabe6814d5be5c0bb60b68f29b6e98a
Link:
https://www.unpac.me/results/69c6a36a-eb27-472d-bfd5-760b854680d4/
SH256 hash:
59fc89c6cc4e85280791ab15e2e63e64fa4fd971bb57c0e266969bb2dbd9bc9a
MD5 hash:
dade50b747b1edd25607b2a6e7caa31a
SHA1 hash:
4d78b173bfd5bdf95d687c3bdfa3f8218e342bf4
Link:
https://www.unpac.me/results/69c6a36a-eb27-472d-bfd5-760b854680d4/
SH256 hash:
8ec4c1b7bd6dc445b04d8d93740bcc72ee3ea94316e321c9fc7b5d77bfd314d5
MD5 hash:
9b49ff370e20a1581da344390b5a1d94
SHA1 hash:
085dd34e7281f8669a1e94001167cecd6c2be741
Link:
https://www.unpac.me/results/69c6a36a-eb27-472d-bfd5-760b854680d4/
SH256 hash:
dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed
MD5 hash:
712c24363a47abc4d4c63e38121d48b6
SHA1 hash:
f41df626fe1b067dc6cf6cfe99a632c2ee6f1c66
Link:
https://www.unpac.me/results/69c6a36a-eb27-472d-bfd5-760b854680d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Java Script (JS) js 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884

TrickBot

DLL dll dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/browse/tag/rob109/
  
Dropped by
SHA256 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172881/

Comments