MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b
SHA3-384 hash: 6922fa03dbdf148983a2fb56d65009b5378842dffcc8768dc29738a955ca024a05654198d4869282d0bfbacb58e39180
SHA1 hash: 0f191570dcbecda0c18c48eac960c0def6779e2f
MD5 hash: 814071ec92b0429d274082e3993aa5af
humanhash: batman-stream-fillet-freddie
File name:image2.bmp.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:507'983 bytes
First seen:2021-05-13 17:42:22 UTC
Last seen:2021-05-13 19:05:50 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 8e582c210faeed0d4f7cfa9f24588236 (2 x TrickBot)
ssdeep 12288:LjRFSJwvFdFr2XUDHt4V9/P8PpGoYr4MV/UJ:LDSJwvHFrlB4Vx8hGr4MVa
Threatray 3'352 similar samples on MalwareBazaar
TLSH 33B4CF1170A1C437F7EE03728D672FE7EAF9BD024BB9A14BD3928E4C1835947592AE11
Reporter James_inthe_box
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156278/
Detection(s):
SecuriteInfo.com.generic.ml.15623.15274.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/781273
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses Windows timers to delay execution
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 413670 Sample: image2.bmp.dll Startdate: 13/05/2021 Architecture: WINDOWS Score: 92 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Trickbot 2->42 44 Initial sample is a PE file and has a suspicious name 2->44 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        signatures5 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 Uses Windows timers to delay execution 10->50 17 wermgr.exe 10->17         started        20 rundll32.exe 13->20         started        22 wermgr.exe 15->22         started        process6 signatures7 26 Found potential dummy code loops (likely to delay analysis) 17->26 28 Tries to detect virtualization through RDTSC time measurements 17->28 30 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 17->30 32 Writes to foreign memory regions 20->32 34 Allocates memory in foreign processes 20->34 36 Uses Windows timers to delay execution 20->36 24 wermgr.exe 20->24         started        process8
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-05-13 13:46:14 UTC
File Type:
PE (Dll)
Extracted files:
18
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kbwkhrxiuzuthivkk4uabpqanqp3jhsm72g24m3w2yc5b3eeq5q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2
TrickBot
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
TrickBot
3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
697dea4b154178e8de096c66167b539aa4465155d294b11765f1a1886eb7c56d
TrickBot
a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d
TrickBot
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
TrickBot
d1fd867dd79bb803974e18598bdc97cbb8f51acffeb8739ce2f01dff29985803
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 3'342 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob78 banker trojan
Link:
https://tria.ge/reports/210513-73hgzwst1n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/156278/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-13 18:00:27 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.012] Anti-Behavioral Analysis::Human User Check
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0050] File System Micro-objective::Set File Attributes
11) [C0052] File System Micro-objective::Writes File
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
15) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
19) [C0040] Process Micro-objective::Allocate Thread Local Storage
20) [C0038] Process Micro-objective::Create Thread
21) [C0054] Process Micro-objective::Resume Thread
22) [C0041] Process Micro-objective::Set Thread Local Storage Value
23) [C0055] Process Micro-objective::Suspend Thread
24) [C0018] Process Micro-objective::Terminate Process