MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
SHA3-384 hash: 004ea61e4b96d5233beee139bfd8c6b11704d3263a426acc3c70f49af8ab8e1c74da8e4e917cd9923d42cc750670e42b
SHA1 hash: 3e4391374f9ecc3a8804ec5c3c002eecc42f4bcf
MD5 hash: d88e5e358edf7547492895722279ad65
humanhash: violet-emma-mockingbird-eleven
File name:3F9E.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:860'160 bytes
First seen:2021-07-13 21:11:15 UTC
Last seen:2021-07-13 21:40:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 81c8d4efdaa8268b916771c030dbc02e (1 x TrickBot)
ssdeep 24576:9FXrL6K8HH5wPa9oHc8sOTT/FeE1gJT7Tq8WC:9FXonnOcCTTZc7TqK
Threatray 818 similar samples on MalwareBazaar
TLSH T1D005CF51A2C18032F4FF01F695FD461B5965BEA10B3495CBB3C8EE4E2AB16D2AE30717
Reporter malware_traffic
Tags:dll gtag mod7 mod7 TrickBot


Avatar
malware_traffic
run method: rundll32.exe [filename],StartW

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171516/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Crypt.14903.8129.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4161d1f-5dbb-4c82-8410-4ae25a50fb6f
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/815905
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448316 Sample: 3F9E.dll Startdate: 13/07/2021 Architecture: WINDOWS Score: 92 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Yara detected Trickbot 2->69 71 Sigma detected: CobaltStrike Load by Rundll32 2->71 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 61 Writes to foreign memory regions 16->61 63 Allocates memory in foreign processes 16->63 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 55 45.36.99.184, 443, 49762, 49769 TWC-11426-CAROLINASUS United States 23->55 57 138.34.28.35, 443, 49757 BACOMCA Canada 23->57 59 7 other IPs or domains 23->59 75 May check the online IP address of the machine 23->75 77 Writes to foreign memory regions 23->77 79 Tries to detect virtualization through RDTSC time measurements 23->79 81 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->81 35 cmd.exe 1 23->35         started        83 Allocates memory in foreign processes 29->83 37 wermgr.exe 29->37         started        41 cmd.exe 29->41         started        signatures8 process9 dnsIp10 43 conhost.exe 35->43         started        49 97.83.40.67, 443, 49758, 49767 CHARTER-20115US United States 37->49 51 170.238.117.187, 443, 49768, 49770 America-NETLtdaBR Brazil 37->51 53 6 other IPs or domains 37->53 73 Writes to foreign memory regions 37->73 45 cmd.exe 1 37->45         started        signatures11 process12 process13 47 conhost.exe 45->47         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265/
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
6ac9af13a02c781f20484c344a61f47c1988b93f99786fcb93042678ac7be760
TrickBot
82ee229f96371decb519948d2b1cffdccb39859fca84909032acef7da5bd0093
TrickBot
c3f153bb4b44d9e0cb3cab0bf7eed03b8eea280b97756937dedbe74c7013a3d3
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
d1df22bbe41e65a75aaf201fc4ed1d5ca0eaa78f193a99eb2043706e26abfc48
TrickBot
d215aa40c0e512b7562cad4de5b0790d88facafcdef3f80484b08a50d0c47859
TrickBot
ef59cf16bcd6d9d4da6595b18b4f874da6acfe6893773260af17fc34b58f3ad0
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
+ 808 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mod7 banker trojan
Link:
https://tria.ge/reports/210713-han2r82vca/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
edf01a3a272ee12ba4e69e13b0a568848946bad92f18ae48de902aa84f80f75c
MD5 hash:
3bd398a31a88a9ee5e8fbcbf13637cea
SHA1 hash:
c4b60abf948d426cac182c9b84467dfe08b4594e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/65b5d614-eab9-4e86-9f04-c6fe4326122c/
SH256 hash:
7eea56a586c9ad44111e1d5bdee4be861120e3db2bfe193650bc5f4ff97a77f2
MD5 hash:
2b1d65f6bd06cbd8d8ac5919dfe02311
SHA1 hash:
8a4e3ef31bd32ef03e910fddb5ba1edb15e8c0bf
Link:
https://www.unpac.me/results/65b5d614-eab9-4e86-9f04-c6fe4326122c/
SH256 hash:
492fe76da3af2bc02f0b6738300714e87e5047f14bc27157642eeb5920b15190
MD5 hash:
90bd16538d5a14cc02680e94c4ac4686
SHA1 hash:
7ac496b55248a221725960e39e5b3e8197927a87
Link:
https://www.unpac.me/results/65b5d614-eab9-4e86-9f04-c6fe4326122c/
SH256 hash:
9b3e6da7494788629973535769ebbd870b370a40e613e7a5fb3c1670c130cb54
MD5 hash:
deadffdf7fc875c596ac271cb0449a6f
SHA1 hash:
6cdfe2189878f3cca148ece51b2ceacf42984573
Link:
https://www.unpac.me/results/65b5d614-eab9-4e86-9f04-c6fe4326122c/
SH256 hash:
e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265
MD5 hash:
d88e5e358edf7547492895722279ad65
SHA1 hash:
3e4391374f9ecc3a8804ec5c3c002eecc42f4bcf
Link:
https://www.unpac.me/results/65b5d614-eab9-4e86-9f04-c6fe4326122c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e70bf6458eee2cfcf961aa219af2296cf14df04a9dbb3686ddcde1478fe38265

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171516/

Comments