MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0
SHA3-384 hash:	c628c1a2d6800da37f3542f54fde434506aee26e7f0cdcb2f46080b914dedca54cc37abc64c55a45f2a01c58441c451e
SHA1 hash:	bfe3f6d3fb86a6538b3364e966abafb647eed021
MD5 hash:	4610eeac2606fb87588f945a68575a6b
humanhash:	purple-fourteen-twelve-emma
File name:	unpacked.dll
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	133'632 bytes
First seen:	2021-11-22 17:44:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:CVMvhoQEma7BDEny211coblUwXkZ0oOp3cbn34z:hhoLr9O1cobOwXkZ0oOV4
Threatray	17 similar samples on MalwareBazaar
TLSH	T1E3D35B19FAC7D2F1EE8104B0232EB37F69761706A71699C3C3A45C14A9116F3E23E66D
Reporter	ffforward
Tags:	dll exe rob139 TrickBot unpacked

Intelligence

File Origin

# of uploads :

# of downloads :

903

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

unpacked.dll

Verdict:

Malicious activity

Analysis date:

2021-11-22 17:54:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/017343a9-ae00-4e7e-99d4-6f3da370c885

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Trojan.Trickbot-9833091-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

packed

Link:

https://www.filescan.io/uploads/619bd72194a88037d2fecd15/reports/d0c75fe0-e56a-4518-965c-a24dd0418382/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

TrickBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aeef63d1-191a-45df-b07c-a5bf9febf5ca

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/894083

Signature

Antivirus / Scanner detection for submitted sample

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-11-22 17:45:10 UTC

File Type:

PE (Exe)

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4f35rgnnd7utqy7dbjcp46w43ptmxxsvste77zrrcvms7mvdtxqa._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

25939f03c43151ec5474f746fc71510fb6abe8b5e41da44fef74b6bc806e26b4

TrickBot

4f9ee40b7d76b088cefa490c13237ad5bcfac195dbbac32d5f14d002189fa2c9

TrickBot

607ae69db9a94f6c75a215adcd1a9ffbdd4a66c09ec0d50f274f83cab8ad58f2

TrickBot

7974d6324dbba7811d9a59dd5784751536a35689a50609e2739ba3370c70aa43

TrickBot

a67c82a1a2170e3e7c047133489867f844674009720628058aa7d9299b2b89ab

TrickBot

b00e7f74539cf39940c9044b6ac1d131a23c896c7905d71a087a01245232ada3

TrickBot

bc27bd1905991f35c3a125279ea0a20d7f723f80778ae6cc07b37179b2e1f83a

TrickBot

+ 7 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob139

Link:

https://tria.ge/reports/211122-wbqjjsbfb3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Malware Config

C2 Extraction:

65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Unpacked files

SH256 hash:

e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0

MD5 hash:

4610eeac2606fb87588f945a68575a6b

SHA1 hash:

bfe3f6d3fb86a6538b3364e966abafb647eed021

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/6de50602-cbce-42b7-8fd9-76922090d470/

Parent samples :

2a039fd90e9150cf1caacb66326d0a3aae6f050c6d0a20e0adbaa2a2e3025450
d8ec9f0a62bf5507bee6eaa6fa254937b65a0e27fee0906d715aa7fefa4da968
0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae
e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0
c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654
355d4c4c8eabcf15161ac4754c6a20fd1945c91a90f88e90de1d2ba2ac1545de

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e177d899ad1f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.28

Link:

https://yomi.yoroi.company/submissions/e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	TrickBot Create hunting rule
Author:	sysopfb & kevoreilly
Description:	TrickBot Payload

Rule name:	win_trickbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/208310/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample