MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
SHA3-384 hash: 4e329539d36138c64362303c4f2597340a1ecd0b94abc7f6553b23fc124a6efa9110533ad2e10fcdcce398fb4318bb76
SHA1 hash: f8536268a3233bf571422b4e45a18ebbefe02082
MD5 hash: 963792ec63e0f0dfdff62046fc03bfa4
humanhash: ceiling-berlin-cold-utah
File name:963792ec63e0f0dfdff62046fc03bfa4.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:524'288 bytes
First seen:2021-10-07 09:01:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash fd98f67a63ecc847a2028c66b8388afb (8 x TrickBot)
ssdeep 6144:b3oOkxQXFDzaLtFD2aD3mAKit6lltqFpaI28VwPHK6+TDrAo0dThI9eq0NIaP:b3ExQ1DzM187qFp12iwPqvDr2VI9bZa
Threatray 4'090 similar samples on MalwareBazaar
TLSH T186B4DF02B3C08836D67B227A49ABD71933B9FC204F65C38726C47E5F6E326D55E26352
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195736/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.gen.14965.2038.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/615eb75598a6280f3933850e/reports/a83ffee2-74a6-4f80-bfba-d5ef57204223/overview
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866289
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498718 Sample: BSQ4wRQciB.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Found malware configuration 2->70 72 Antivirus detection for URL or domain 2->72 74 4 other signatures 2->74 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 rundll32.exe 8->14         started        17 cmd.exe 1 8->17         started        19 rundll32.exe 8->19         started        21 rundll32.exe 10->21         started        23 rundll32.exe 12->23         started        signatures5 86 Writes to foreign memory regions 14->86 88 Allocates memory in foreign processes 14->88 90 Queues an APC in another process (thread injection) 14->90 25 wermgr.exe 3 14->25         started        30 cmd.exe 14->30         started        32 rundll32.exe 17->32         started        34 wermgr.exe 19->34         started        36 cmd.exe 19->36         started        38 wermgr.exe 21->38         started        40 cmd.exe 21->40         started        42 wermgr.exe 23->42         started        44 cmd.exe 23->44         started        process6 dnsIp7 56 185.56.175.122, 443, 49773, 49776 VIRTUAOPERATOR-ASPL Poland 25->56 58 105.27.205.34, 443, 49788, 49792 SEACOM-ASMU Mauritius 25->58 60 4 other IPs or domains 25->60 52 C:\Users\user\AppData\...\zzBSQ4wRQciBjv.dmo, PE32 25->52 dropped 76 May check the online IP address of the machine 25->76 78 Tries to detect virtualization through RDTSC time measurements 25->78 80 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->80 82 Writes to foreign memory regions 32->82 84 Allocates memory in foreign processes 32->84 46 wermgr.exe 3 32->46         started        50 cmd.exe 32->50         started        file8 signatures9 process10 dnsIp11 62 181.129.167.82, 443, 49774, 49780 EPMTelecomunicacionesSAESPCO Colombia 46->62 64 ipinfo.io 34.117.59.81, 49779, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 46->64 66 3 other IPs or domains 46->66 54 C:\Users\user\AppData\...\skBSQ4wRQciBok.dmo, PE32 46->54 dropped file12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 09:01:08 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
TrickBot
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
TrickBot
37c129eb8bb575d7ac12fdd14b5d05edee15c1230d7b712e5b9d2533f78dc5b4
TrickBot
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
98190daef6fabe0513518943ffbc9abcaf4dd7c0bfd37bc996fbbe261d831b3c
TrickBot
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
TrickBot
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
TrickBot
decd474e4c808ac1a3255e1b6aecab359028bbadb6852f9ff70b33fdea648978
TrickBot
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
TrickBot
+ 4'080 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:fat1 banker suricata trojan
Link:
https://tria.ge/reports/211007-kyw43acdbq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
9c8b04423100da077bd128ce7f819064f7ed1a6c8897a792bfc1b20423ef6988
MD5 hash:
e6cf2df32bbebb0a2bddd0ad04fdfbe4
SHA1 hash:
ea316e164aeddd9832426023daf04f8a2f47f26d
Link:
https://www.unpac.me/results/b6514dd9-75cd-4a93-88fa-c78201afc73b/
SH256 hash:
ee60352e84e0eea543aed0f41ab70ac65cd0ac4226c42b09c0177dfa5ada2dfa
MD5 hash:
e6fc3463f7df7f7e661b352346681d60
SHA1 hash:
da11152f274bcc29ce33ec9cd6da21685f350f84
Link:
https://www.unpac.me/results/b6514dd9-75cd-4a93-88fa-c78201afc73b/
SH256 hash:
6a7713508a070a4ef2123bfc999fb9bf012ee5fe475a3b3adfeb99990c6a664d
MD5 hash:
30ec7187a0d5f14d5535929a274e51aa
SHA1 hash:
8040f763f4d0bf018f4a1a73965151b2dcb323f7
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6514dd9-75cd-4a93-88fa-c78201afc73b/
Parent samples :
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
37c129eb8bb575d7ac12fdd14b5d05edee15c1230d7b712e5b9d2533f78dc5b4
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
61d1417ece7c1bbd2fd4ca685fc92c5239fa8ced521b90cd92cebc983d4fcc5e
dbd1cfed3d0b57ac4b4affbcd942287617d1f7bdd322ba2464d22020e4e29200
SH256 hash:
3c7991fab579f08e337fe14fab42616ab1df9e1899db4508b50671b941f265e9
MD5 hash:
f3332f3fc1dd8fb7dc499cb566afd81b
SHA1 hash:
3c57fab42973d602992deff26060aad835d8ad87
Link:
https://www.unpac.me/results/b6514dd9-75cd-4a93-88fa-c78201afc73b/
SH256 hash:
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
MD5 hash:
963792ec63e0f0dfdff62046fc03bfa4
SHA1 hash:
f8536268a3233bf571422b4e45a18ebbefe02082
Link:
https://www.unpac.me/results/b6514dd9-75cd-4a93-88fa-c78201afc73b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dcb653aeaf89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1659212/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195736/

Comments