MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4
SHA3-384 hash: 27f99200cf8308e0321e759831b5104afcc91001592445371eddb0e98438a2a5d57138871e854ed8e190780dfd5a1fed
SHA1 hash: c653f707d23ea22c65bdc88e6f6a310f83f8cdf8
MD5 hash: 57ee70462da3c968d4ef8466e2855418
humanhash: jersey-sierra-timing-london
File name:mal.bin
Download: download sample
Signature TrickBot
Create hunting rule
File size:278'016 bytes
First seen:2020-12-29 17:19:36 UTC
Last seen:2020-12-31 02:47:35 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash b52bbb84ffa6513feafd5ee7224f661a (1 x TrickBot)
ssdeep 6144:yZB0sguF1CBLyMY+IzkQBmqe6t6mMe5hCe/6bS42WjMg0nwNA1S:yZBvguzOLENhwqe6t6mMe5we/sS42Wfr
Threatray 2'950 similar samples on MalwareBazaar
TLSH 1844122035E28032D1DA667444B4EBA10EBE7C415BF4C02AFF782A7A5F25BC167753B2
Reporter j_dubp
Tags:TrickBot

Intelligence

File Origin
# of uploads :
4
# of downloads :
432
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.CryptDoma.dc.9874.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/571563
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 334847 Sample: mal.bin Startdate: 29/12/2020 Architecture: WINDOWS Score: 68 24 wtfismyip.com 2->24 36 Multi AV Scanner detection for submitted file 2->36 38 Machine Learning detection for sample 2->38 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        signatures6 40 Writes to foreign memory regions 11->40 42 Allocates memory in foreign processes 11->42 16 wermgr.exe 11->16         started        19 iexplore.exe 2 72 14->19         started        process7 signatures8 32 Tries to detect virtualization through RDTSC time measurements 16->32 34 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 16->34 21 iexplore.exe 154 19->21         started        process9 dnsIp10 26 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49743, 49744 FASTLYUS United States 21->26 28 www.msn.com 21->28 30 7 other IPs or domains 21->30
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-29 17:20:04 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0f252d0b4a20555653ca22dcc8141dfeca1091d8dadbb5c98f2c7b3884ee0009
TrickBot
126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
TrickBot
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed
TrickBot
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
TrickBot
648d3b8639ff54b8741ec84898b213836594539de6f0c11a6c9f34dccf5e79fe
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
89ba36ddab48b3cdd3a8db026463e79391c6ca7f0b04a9ea8b71969add67b276
TrickBot
bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16
TrickBot
c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be
TrickBot
ea5c72bce7e028a6b2f9febd90751bf0e323da00b4b0d68be2a52ed21fe2a4d0
TrickBot
+ 2'940 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob33 banker trojan
Link:
https://tria.ge/reports/201229-qjzvyldnva/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Program crash
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449
Unpacked files
SH256 hash:
e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4
MD5 hash:
57ee70462da3c968d4ef8466e2855418
SHA1 hash:
c653f707d23ea22c65bdc88e6f6a310f83f8cdf8
Link:
https://www.unpac.me/results/58075cb0-abb7-42c2-9dba-dc7c96ac9a6d/
SH256 hash:
031e53b6ecdc2ca6e873df8dc717b624ca2e5b6a99844081534355cea0a41edf
MD5 hash:
b3f70009dbc370420b6e3494d173ccd3
SHA1 hash:
191113b2a1361cd171f15bf057fd10af0ceef8ff
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/58075cb0-abb7-42c2-9dba-dc7c96ac9a6d/
SH256 hash:
d39d71a46bc108ae8a11a8eb9c1a1835e058121e77df07c92a4d48a71f151bcc
MD5 hash:
c10a2e291ab9027792a8277eb263e67c
SHA1 hash:
5eae29051b050e0a29f37984162187613c376977
Link:
https://www.unpac.me/results/58075cb0-abb7-42c2-9dba-dc7c96ac9a6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CryptDoma
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

DLL dll e36baf947ea6292bc5d73b9ec405a91a6939a487da6c8ca920bae5a4a624f1d4

(this sample)

anyrun
any.run
https://app.any.run/tasks/6e2d1801-8b54-4f44-ae64-56d885d6bffd/
  
Delivery method
Distributed via e-mail attachment

Comments