MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6
SHA3-384 hash:	cae594d43ae82ac73a7ca1a75cef69cab73a0f4f54e0ee5f2e85b4e4cec315c2350cf360dca3d47142cb9cf160b82833
SHA1 hash:	a831a69d35a957e64dc625c73449e0d3f695d7dd
MD5 hash:	6ce6bac6ab3c7792af9dc566b81f206a
humanhash:	montana-happy-saturn-sierra
File name:	6ce6bac6ab3c7792af9dc566b81f206a.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	577'024 bytes
First seen:	2021-11-21 10:22:04 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
ssdeep	12288:Xwae8BBpNOXsE3Qw/tCDkoySj5hKNMWbFzrT9:XDD/OXHFUn5hKlZzrT9
Threatray	5 similar samples on MalwareBazaar
TLSH	T1F7C47D659C70D123F3CA76B7EA39A5D2E63398821AA3D373BFDE06841147AD09D85F10
Reporter	abuse_ch
Tags:	dll TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

757

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the Windows subdirectories

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/619a1e0894a88037d2fc44a0/reports/6f7a13e2-2e9a-4b76-b81f-f4d4717e3965/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0234ed40-5f7a-4ea1-9e4f-ce1bfeb408e3

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-11-11 19:42:22 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Verdict:

malicious

TrickBot

5190ec8f66158522da23e655a5350c5c477cdf4ddc8c64eb9306764cd72f4e2a

TrickBot

aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6

TrickBot

cc7045d9fe77c4aa4cb646d01fb4700008a34f58f49358d0b0b0997d21016aab

TrickBot

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:soc1 banker trojan

Link:

https://tria.ge/reports/211121-meag3aggc8/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Unpacked files

SH256 hash:

fcb952445e138dd50f50abe0f42d4ce2149ca82b71dfea272c6a128f0733e5d4

MD5 hash:

1876997df3b6eb6ad15aeadba62222e8

SHA1 hash:

d11ca5b0c7d0c53b378c06b3d0468e4783d3679c

Link:

https://www.unpac.me/results/a933dd5e-2237-49bf-8c6c-cc667bfd8dcc/

SH256 hash:

e98ca956f4f94b5c8b063327a1fe27fb804bc2e52190a68c577490c3192ae663

MD5 hash:

4b535dbe595f89c3bcaa4f43cc1323a3

SHA1 hash:

4162c873be81f5aac6ca0a1ed7f84bfe86ec4262

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/a933dd5e-2237-49bf-8c6c-cc667bfd8dcc/

Parent samples :

19f0c6a50f5c4fc4da0233cac0ce5c3cfb70a03c15adfe9f78aaf3c2164210dc
c8967382e53061b59cf54be076b1aa75c9dd10806e786cc745f61a3bcb7b0593
ccdc5d40766fbcc6f08efaadea41d51700fd13285eecfa63781a867b8850195b
104b9976e7e50031ded3bf9532a79b45502732668f23092f33fc71cecaa79977
5190ec8f66158522da23e655a5350c5c477cdf4ddc8c64eb9306764cd72f4e2a
aba735a82178442cc09f6b4cb3091a2526fe602a43954cb41e6acf14295e3bc6
ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6

SH256 hash:

ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6

MD5 hash:

6ce6bac6ab3c7792af9dc566b81f206a

SHA1 hash:

a831a69d35a957e64dc625c73449e0d3f695d7dd

Link:

https://www.unpac.me/results/a933dd5e-2237-49bf-8c6c-cc667bfd8dcc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ddf18de4cbb6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll ddf18de4cbb6d9731b53cff4a3285dfc913ea70fcf4ac88a829a21cf4911bdd6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1766024/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/207866/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

Comments

Login required