MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e11869b6475b5308b8c23356489835be4e7a6668714c0eb6d289cdf83eb0c81e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e11869b6475b5308b8c23356489835be4e7a6668714c0eb6d289cdf83eb0c81e
SHA3-384 hash: 3a3af2b84642afb10877d06afb75d96ba13d7afa76d2b5cf3a1159cb14d7be45ba7ad01e37ecc790321e6b876ea7012f
SHA1 hash: 738e362295cabb1dbfc8694e6462300116fdb778
MD5 hash: eadde5e39575d91cb613b840e9ad1ce2
humanhash: idaho-fillet-salami-early
File name:eadde5e39575d91cb613b840e9ad1ce2
Download: download sample
Signature TrickBot
Create hunting rule
File size:414'208 bytes
First seen:2021-07-01 17:41:57 UTC
Last seen:2021-07-01 18:43:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9c7729e7e6125436737710b1ba737d7e (4 x TrickBot)
ssdeep 6144:E4Gp1gZmOqpDLlkMOzuOLWSbrrbysRLjq0wcAc1ot:SrgZmI56OLWS6sRLjFw61o
Threatray 5 similar samples on MalwareBazaar
TLSH 0994E1226781C872E1CB113985B687B54B6ABC129BB074C72BD43E7FAF246C1CF75219
Reporter zbetcheckin
Tags:32 dll exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169209/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.32606.1284.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9406532-43f0-45f1-b37f-789b33f3fde7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/810729
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443140 Sample: 0GTtcrFR5W.dll Startdate: 01/07/2021 Architecture: WINDOWS Score: 72 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 cmd.exe 1 7->12         started        14 iexplore.exe 1 74 7->14         started        16 3 other processes 7->16 signatures5 52 Writes to foreign memory regions 9->52 54 Allocates memory in foreign processes 9->54 18 wermgr.exe 9->18         started        22 cmd.exe 9->22         started        24 rundll32.exe 12->24         started        26 iexplore.exe 150 14->26         started        28 WerFault.exe 23 9 16->28         started        process6 dnsIp7 30 60.51.47.65, 443, 49763 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 18->30 32 204.138.26.60, 443, 49751 NTT-COMMUNICATIONS-2914US United States 18->32 38 10 other IPs or domains 18->38 46 Tries to detect virtualization through RDTSC time measurements 18->46 48 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 18->48 50 Delayed program exit found 24->50 34 prod.appnexus.map.fastly.net 151.101.1.108, 443, 49736, 49737 FASTLYUS United States 26->34 36 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 26->36 40 11 other IPs or domains 26->40 signatures8
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e11869b6475b5308b8c23356489835be4e7a6668714c0eb6d289cdf83eb0c81e/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 17:42:09 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3e31457cdda7e7efb0798e7b06c4c23251f3a5416bb4355bc2564e99c7d401b0
TrickBot
54f6fe3e63891e2c0b925cf17385c6df56d824cee163111e93fef76c6476a535
TrickBot
5f53adb34adbcb6eeec29d48e9d80a401d1476eff2e826cb2c7ac02d8d7e2785
TrickBot
7d4d5ddf016f84445c94bf5ee4d715be092f8711b70ebd17f48f2956fba0487d
TrickBot
e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sat2 banker trojan
Link:
https://tria.ge/reports/210701-ppznzf1xbe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
e11869b6475b5308b8c23356489835be4e7a6668714c0eb6d289cdf83eb0c81e
MD5 hash:
eadde5e39575d91cb613b840e9ad1ce2
SHA1 hash:
738e362295cabb1dbfc8694e6462300116fdb778
Link:
https://www.unpac.me/results/235d421b-8e47-4981-ac78-c34d64190ba3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e11869b6475b5308b8c23356489835be4e7a6668714c0eb6d289cdf83eb0c81e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll e11869b6475b5308b8c23356489835be4e7a6668714c0eb6d289cdf83eb0c81e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1417124/
Cape
Cape
https://www.capesandbox.com/analysis/169209/

Comments


Avatar
zbet commented on 2021-07-01 17:41:58 UTC

url : hxxp://162.248.225.89/m1.dll