MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebd0809f7ff6f179413fcd21a423576f052b09d21d89a1be9e6810c7e8b0c0ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TriumphLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebd0809f7ff6f179413fcd21a423576f052b09d21d89a1be9e6810c7e8b0c0ef
SHA3-384 hash: d1a07a9212612545367d42bfa361e003b55318a53c817a704e123274632a61c8a3b6fd32918ab8abe674cb75b1bae690
SHA1 hash: 9968558abc8bd73e6ff60a17848b0fcd4d71a17f
MD5 hash: f17aa495410a058fef413b4c6f0de5ae
humanhash: charlie-crazy-low-green
File name:f17aa495410a058fef413b4c6f0de5ae.dll
Download: download sample
Signature TriumphLoader
Create hunting rule
File size:299'008 bytes
First seen:2021-02-22 07:39:27 UTC
Last seen:2021-02-22 10:56:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 91af08d68e0867d4bdbc539e5a2d60de (1 x TriumphLoader)
ssdeep 3072:zmaPIUPUCSIYv/Hugon1CW7kfEK1QoILp0Ms5YEcVU:zBIwOWgCkKkf7kpBQ82
Threatray 36 similar samples on MalwareBazaar
TLSH 7A545D66B7CED912FBBB0F7FF093966411F2AD472063042A51D53958F9B3AB42889370
Reporter abuse_ch
Tags:dll TriumphLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118257/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45766951.3860.28326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Triumph Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613783
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Triumph Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355903 Sample: 7lM8HxwfAm.dll Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Antivirus detection for URL or domain 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 6 other signatures 2->98 8 loaddll32.exe 1 2->8         started        10 nethelper.exe 2->10         started        process3 dnsIp4 15 rundll32.exe 14 8->15         started        20 cmd.exe 1 8->20         started        22 regsvr32.exe 8->22         started        78 orvalansterych.xyz 10->78 72 C:\Users\user\AppData\...\nethelper[1].dll, PE32 10->72 dropped 74 C:\ProgramData74etHelper\...\nethelper.dll, PE32 10->74 dropped 100 Multi AV Scanner detection for dropped file 10->100 102 Detected unpacking (changes PE section rights) 10->102 24 cmd.exe 10->24         started        26 cmd.exe 10->26         started        28 cmd.exe 10->28         started        file5 signatures6 process7 dnsIp8 86 orvalansterych.xyz 35.246.232.126, 49721, 49754, 49755 GOOGLEUS United States 15->86 88 oricasetrector.xyz 15->88 68 C:\Users\user\AppData\Local\...\nethelper.exe, PE32 15->68 dropped 70 C:\Users\user\AppData\...\nethelper[1].help, PE32 15->70 dropped 90 System process connects to network (likely due to code injection or exploit) 15->90 30 cmd.exe 1 15->30         started        32 cmd.exe 1 15->32         started        34 cmd.exe 1 15->34         started        47 2 other processes 15->47 36 iexplore.exe 2 85 20->36         started        39 conhost.exe 24->39         started        41 reg.exe 24->41         started        43 conhost.exe 26->43         started        45 timeout.exe 26->45         started        file9 signatures10 process11 dnsIp12 49 conhost.exe 30->49         started        51 schtasks.exe 1 30->51         started        53 conhost.exe 32->53         started        55 schtasks.exe 1 32->55         started        57 conhost.exe 34->57         started        59 schtasks.exe 1 34->59         started        76 192.168.2.1 unknown unknown 36->76 61 iexplore.exe 5 157 36->61         started        64 conhost.exe 47->64         started        66 3 other processes 47->66 process13 dnsIp14 80 img.img-taboola.com 61->80 82 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49737, 49738 FASTLYUS United States 61->82 84 8 other IPs or domains 61->84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebd0809f7ff6f179413fcd21a423576f052b09d21d89a1be9e6810c7e8b0c0ef/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-02-21 21:47:41 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5piibh3763yxsqj7zuq2ii2xn4cswcosdwe2dpu6naimp2fqydxq._file
Verdict:
unknown
Similar samples:
03ce144d5164335bc0d7b17b3626bfec1f61383846b70054397c7418657c23a5
TriumphLoader
28187610a1ea319d44533801b67984760412fe2cd8ef6131f29033672fb3cf53
TriumphLoader
2bd9fd6b0e5a47bc10b4677e73838ed324ca07ae5cd2b67bf9fe1463a8b6113e
TriumphLoader
5fdd806e6d8851bf1984e127865bb0a146699fad955d615e392686e59d8b0084
TriumphLoader
6d10ae2b310fc8d3b8a2690afb40ff153ffca5f320a08d07c7d8b5a05a9dcd2c
TriumphLoader
748db1f530fa931a4b0bfa8df7c96f84d3bd8b40591960c9453d19df827c0dd4
TriumphLoader
a2c81ec4816dbf6c7bf224d0a3af9f52f2c879dc2e672a85b75f22cbb8d9d71e
TriumphLoader
a7f5863eb4a34ffcb20094dc379e369e09e0196f41d6c29fdf735adabef5720b
TriumphLoader
e004cc75cc35980ea51e7b8761be5aebea359a867cf815ba99057214fde84d01
TriumphLoader
e38dfd919696b891fad1c1e5e0d69bcda08a044b526db42f68a149cd5d871bfb
TriumphLoader
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210222-3f2cbwn35s/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
ebd0809f7ff6f179413fcd21a423576f052b09d21d89a1be9e6810c7e8b0c0ef
MD5 hash:
f17aa495410a058fef413b4c6f0de5ae
SHA1 hash:
9968558abc8bd73e6ff60a17848b0fcd4d71a17f
Link:
https://www.unpac.me/results/583ae699-a57e-436c-9835-a22fa3c7dcdc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TriumphLoader

DLL dll ebd0809f7ff6f179413fcd21a423576f052b09d21d89a1be9e6810c7e8b0c0ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1023446/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118257/

Comments