MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2f6ac2c144bf28ac853c5dc3f3c4ce5ff08f42076c1d996c1ebb6362f9e66dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2f6ac2c144bf28ac853c5dc3f3c4ce5ff08f42076c1d996c1ebb6362f9e66dc
SHA3-384 hash: df684b127515f78546990f6855892df928f9c7d30897f3d080fb9b6479acf0982caa67cb73f750f0d64e0b3fad92ca04
SHA1 hash: f485418aaaf6f19e3667aab47d6c2fcb4cb3d545
MD5 hash: 35ee773079b553e228c8cc8ddad09e80
humanhash: princess-cola-tennessee-october
File name:SecuriteInfo.com.Trojan.GenericKD.36426529.10317.558
Download: download sample
Signature TrickBot
Create hunting rule
File size:560'128 bytes
First seen:2021-03-16 08:50:31 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 70c2af83794bb23e5ff45677bfcd4d77 (1 x TrickBot)
ssdeep 6144:YWupppqFpnclMKWj3RfUuIOqg6SVAKycH3vKbqZrMWON+n4BdpNZ0jXfcmpxlIkH:7DRUg1VafNrBdpNSQmpPFYgXJt
Threatray 3 similar samples on MalwareBazaar
TLSH 76C4D032F55C4422C4FA1A3318B1FFC7D52DE39C9F62565B71AC0A8C8A648E1AB65F07
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36426529.10317.558.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/556c8596-e80f-49f7-923b-5045297c60e2
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640480
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369213 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 8->17         started        signatures5 60 Writes to foreign memory regions 12->60 62 Allocates memory in foreign processes 12->62 64 Delayed program exit found 12->64 19 wermgr.exe 12->19         started        23 wermgr.exe 12->23         started        25 iexplore.exe 1 73 15->25         started        process6 dnsIp7 32 131.255.106.152, 449, 49749, 49755 TheHousesTelevisionCAConexTELECOMVE Venezuela 19->32 34 181.191.67.186, 447, 49781 SOLUCIONESWISPSAAR Argentina 19->34 36 6 other IPs or domains 19->36 52 Hijacks the control flow in another process 19->52 54 Writes to foreign memory regions 19->54 27 svchost.exe 19->27         started        56 Tries to detect virtualization through RDTSC time measurements 23->56 58 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->58 29 iexplore.exe 152 25->29         started        signatures8 process9 dnsIp10 38 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49740, 49741 YAHOO-DEBDE United Kingdom 29->38 40 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49734, 49735 FASTLYUS United States 29->40 42 10 other IPs or domains 29->42
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e2f6ac2c144bf28ac853c5dc3f3c4ce5ff08f42076c1d996c1ebb6362f9e66dc/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 19:45:17 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4l3kylaujpzivsctyxod6pcm4x7qr5bao3a5tfwb5o3dml46m3oa._file
Verdict:
unknown
Similar samples:
0bf610b97ec21501f19486cbc1e77aec26cea2da6dfa090f2f6f8e32e91419bb
TrickBot
429e9035efc32018d96e22cbbb8a5d89f9d8b5887ba3a151143e5d77b6b5498f
TrickBot
71b4913ef363073f0ecc4b4c5af3ad4b4889ac7f22a3e34d54c9b6572b83c483
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon92 banker trojan
Link:
https://tria.ge/reports/210316-1kdw1fdqee/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
Unpacked files
SH256 hash:
ff2ed0edd05cbcc3b22047e715fe2cc5f702649c06fc8e1e5f5dd2955a1a84af
MD5 hash:
f14d7513c324bb036d1025efbcdefe18
SHA1 hash:
4b79718a62d8b50de43016fba456c24ba9562b01
Link:
https://www.unpac.me/results/7bf86a04-2895-448d-9ef9-66d847041cc9/
SH256 hash:
b488d692c3af74e88b3ab8476adfa68f8021bc33a88aaaaba6626307ced4b262
MD5 hash:
acd35ea02796d713e4140ea95d9ee549
SHA1 hash:
8605d08905f91d4fcb93e446fb48d8b97acd6d3a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7bf86a04-2895-448d-9ef9-66d847041cc9/
SH256 hash:
e2f6ac2c144bf28ac853c5dc3f3c4ce5ff08f42076c1d996c1ebb6362f9e66dc
MD5 hash:
35ee773079b553e228c8cc8ddad09e80
SHA1 hash:
f485418aaaf6f19e3667aab47d6c2fcb4cb3d545
Link:
https://www.unpac.me/results/7bf86a04-2895-448d-9ef9-66d847041cc9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2f6ac2c144bf28ac853c5dc3f3c4ce5ff08f42076c1d996c1ebb6362f9e66dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll e2f6ac2c144bf28ac853c5dc3f3c4ce5ff08f42076c1d996c1ebb6362f9e66dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1070379/
  
Delivery method
Distributed via web download

Comments