MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e
SHA3-384 hash: b0e41d6065ac7f8c7991c374d5c2eac41eca3018ae467c2c637d50987a99a67becf06862314ae7773f4189b2cc56bf58
SHA1 hash: 69e34010da3954b55806b8afd622fbe573ad89df
MD5 hash: 32b2798ecb2396f1bb2ccc3d5a2a20fe
humanhash: nineteen-beryllium-wisconsin-friend
File name:dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'010'176 bytes
First seen:2021-06-09 17:09:05 UTC
Last seen:2021-06-09 18:00:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cff33d60abb2b9ada3b724500411bdc (3 x TrickBot)
ssdeep 12288:ZMRocJsQWis6bFd10txEYP2WUJJ2XegCnZ1v4414FB4sbqiohY8Hy1n6quWT:mimzrjHy2WUJueLZ1v4414vbqWrbz
Threatray 3'238 similar samples on MalwareBazaar
TLSH 3C257C1076B0D033F2B12172897AD9F3E575EC628B2573CBE5C2363C2A3C5D35A25AA5
Reporter sisoma2
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
465
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165687/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.4347.28469.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Forced shutdown of a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/799731
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-06-09 16:28:49 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
24dd0b8a2e2faff39ea54abc2654d91fdd7349aad14b0537f4d05a6af0b16ebe
TrickBot
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
TrickBot
437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528
TrickBot
7500223b9a23a332ccb85b42ad8536250ba2cbd77ed8cf80c1b1a4ffe6876865
TrickBot
8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64
TrickBot
aaf65f2e4e89ced41e549525ef7f0cba7226c2423d0e5009f3fe79c4418b15f7
TrickBot
be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
TrickBot
f17f19350c6dbcf733c1d2fed10e8c853ac3af5117e8dc8122f06c87bd41d19f
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 3'228 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mod2 banker trojan
Link:
https://tria.ge/reports/210609-x7fjyc86ja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
178.72.192.20:443
103.124.145.98:443
45.5.152.39:443
114.7.240.222:443
85.248.1.126:443
94.183.237.101:443
146.196.121.219:443
89.37.1.2:443
94.142.179.77:443
177.221.39.161:443
85.175.171.246:443
103.12.160.164:443
180.178.106.50:443
94.142.179.179:443
46.209.140.220:443
123.231.149.122:443
123.231.149.123:443
182.160.116.190:443
131.0.112.122:443
116.0.6.110:443
103.101.104.229:443
88.150.240.129:443
103.242.104.68:443
Unpacked files
SH256 hash:
d1c4a8bdda47bd4b16ac6c93142c49da30bf361a8662b8b3de6e97f135b1c8c9
MD5 hash:
09ae34300cfc95e2a77da8b55edf17c1
SHA1 hash:
e3bcd692b10c5caf4280ba696bcb3727d34f59f3
Link:
https://www.unpac.me/results/8a34b28b-7e63-4720-a344-a8330da2a8fb/
SH256 hash:
bdb7ddae276074bc52d2d2a2454dfc994f5762e718105c4025a558291caf88ce
MD5 hash:
8b1a856ddb31dd59dc3df146985bc169
SHA1 hash:
703d73013fce882d7fcc611a9045be23c1d166b6
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a34b28b-7e63-4720-a344-a8330da2a8fb/
Parent samples :
be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e
54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f
SH256 hash:
e8e03b0614a5d235790f383cc31e097c283fa2659ec2ecff109f260cedc1fcf9
MD5 hash:
6ca8426c588496c4e3787103f7d52754
SHA1 hash:
0d2f7ea3586ca47d5373dd8b065c5428f46d83ee
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8a34b28b-7e63-4720-a344-a8330da2a8fb/
SH256 hash:
dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e
MD5 hash:
32b2798ecb2396f1bb2ccc3d5a2a20fe
SHA1 hash:
69e34010da3954b55806b8afd622fbe573ad89df
Link:
https://www.unpac.me/results/8a34b28b-7e63-4720-a344-a8330da2a8fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Executable exe dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e

(this sample)

  
X
https://twitter.com/MBThreatIntel/status/1402649681990238208
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/165687/

Comments