MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c3eeb926cb6b2652dab8077a2ffcca6da1005423debe16e5ca1a4e1b5b5858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c3eeb926cb6b2652dab8077a2ffcca6da1005423debe16e5ca1a4e1b5b5858
SHA3-384 hash: 68ad396f8f90e46a80e31a0d0c69e2e9a9432eb2e2ba23430e0b5e0646f55d9cb5487cf6c47dffd027b8ffb78ff5f349
SHA1 hash: dcfcfd02bd709280e55ae8356ffa2f7744092e28
MD5 hash: 8291cbc6873e8019b6c0cb4472393d0f
humanhash: stream-glucose-sodium-eight
File name:8291cbc6873e8019b6c0cb4472393d0f.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:603'648 bytes
First seen:2021-02-20 09:29:09 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 95daca5802fc1a3dddaa23c9a8d1e835 (2 x TrickBot)
ssdeep 12288:Ua35NNMyw08jsI525olVNyM+ptFzTphtaMww0PXMUiMM8:Ug5NNhw0UT525oLN6pt1Tph0Rv
Threatray 8 similar samples on MalwareBazaar
TLSH EAD4BF00B282D032D1C735799529C7B56FA9BE30579281C77BD86E7E6B712E39B3070A
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118095/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45755314.1107.28170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/613244
Signature
Multi AV Scanner detection for submitted file
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355638 Sample: Uiha1GUS7S.dll Startdate: 20/02/2021 Architecture: WINDOWS Score: 56 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Trickbot 2->36 8 loaddll32.exe 1 2->8         started        10 WerFault.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 regsvr32.exe 25 8->14         started        16 rundll32.exe 8->16         started        18 regsvr32.exe 10->18 injected process5 20 iexplore.exe 1 74 12->20         started        dnsIp6 26 192.168.2.1 unknown unknown 20->26 23 iexplore.exe 153 20->23         started        process7 dnsIp8 28 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49763, 49764 FASTLYUS United States 23->28 30 geolocation.onetrust.com 104.20.184.68, 443, 49753, 49754 CLOUDFLARENETUS United States 23->30 32 8 other IPs or domains 23->32
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1c3eeb926cb6b2652dab8077a2ffcca6da1005423debe16e5ca1a4e1b5b5858/
Threat name:
Win32.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2021-02-20 02:16:05 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hb65ojgznvsmuw2xadxul74zjw2cacueppl4fxfzine4g23lbma._file
Verdict:
malicious
Similar samples:
0625bea68b6be5ad9ed6db90bec12edda258780979e7e4c7792604c41d4c3905
TrickBot
062f094b3b20d67c5dbaee280d3def3d9c352401e5a0306cc19565034e8937a2
TrickBot
2b08e7b15acdf76390aa499573b76edbdc69617be61a2fbc0536eb24eada0c79
TrickBot
31caa6f66af8581cd7592d9b0e847127bfb2d28575b188ed178b36c3a7435693
TrickBot
4cb9353864db2de66ec2201a6c540225ccedfa738752416cad191c7b3a3ef397
TrickBot
661472b71badf2d2b85cfa9f65c1c5982d0497a7d31f90281f377ee67abb6408
TrickBot
7c7898e90623da9078ce067a44f22e835a1666724f7c03f9f34c145c02ca9979
TrickBot
b861535f129ce740a26f50318c44e0405be62eaaa21f6366ec64368074d966cf
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon65 banker trojan
Link:
https://tria.ge/reports/210220-ncj7a61yva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
e1c3eeb926cb6b2652dab8077a2ffcca6da1005423debe16e5ca1a4e1b5b5858
MD5 hash:
8291cbc6873e8019b6c0cb4472393d0f
SHA1 hash:
dcfcfd02bd709280e55ae8356ffa2f7744092e28
Link:
https://www.unpac.me/results/6f0949d4-09b4-4410-9840-3ba51a3ac749/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:MALWARE_Win_Emotet
Create hunting rule
Author:ditekSHen
Description:Detects Emotet variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll e1c3eeb926cb6b2652dab8077a2ffcca6da1005423debe16e5ca1a4e1b5b5858

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/118095/
  
URLhaus
https://urlhaus.abuse.ch/url/1019707/
  
Delivery method
Distributed via web download

Comments