MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73
SHA3-384 hash: 47dac510abf8982310dce57dbf13f58f175d2878453ecf70875bd1f42d28f310229ba016b6b5a0703a5453793c9136cd
SHA1 hash: b96c1f765abb14eb401cacab6f6e203c3a255df9
MD5 hash: 48cab21fcbe254e7c83f4c1d455a39dc
humanhash: crazy-winner-enemy-bluebird
File name:mon48_cr.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:337'408 bytes
First seen:2021-02-12 00:13:52 UTC
Last seen:2021-02-12 18:44:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 89cc9d6792f17d6eec1bfb53516f1f37 (2 x TrickBot)
ssdeep 6144:aNwmpjb5sDo7TgHLC8X9cL4MoOm/ELg22LCs+7/WRE:aFHs5C8e4MPgELILCs8/EE
Threatray 9 similar samples on MalwareBazaar
TLSH 4874AF10B171022CE7EE43B318ADBAC5DB386698BE9CC71F627D05DD4B18873B51B992
Reporter Cryptolaemus1
Tags:mon48 openfield TrickBot


Avatar
Cryptolaemus1
Comes via the following type of email template:
"From: Steve Belter <SteveBelter@neca.tv>
Sent: Thursday, February 11, 2021 4:44 PM
To: victim (victim@yourdomain.tld)
Subject: Purchase problem and finances removed
Hello there,
I'm writing to dispute a debit in the sum of 235$ on my own user account. I fairly recently purchased the items through your store however, the card ended up being refused. But once i reviewed my bank account the identical amount has been removed from my bank account.
I'm inquiring that fault be solved, that any specific finance expenses related to the debated total be credited to my personal account, and so that I get a correct statement.
Attached are copies of my bank statement plus the purchase information. Kindly correct the error soon.
Bank Statement
Best regards"

Bank Statement goes to -> http://www.pisosenventavic.com/subtend.php which gives 2a0715701189d587df4f40632957f0bbd12cc1e5847b6c8d017254d6ddce6ef1 spreadsheet with XLM 4.0 macros which goes to /85.90.247.25/campo/o/o and then the link s://bestinvest.si/e111/vendor/pusher/pusher-php-server/scripts/mon48_cr.dll

Intelligence

File Origin
# of uploads :
3
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116865/
Detection(s):
SecuriteInfo.com.Generic.mg.48cab21fcbe254e7.2088.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/606389
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352227 Sample: mon48_cr.dll Startdate: 12/02/2021 Architecture: WINDOWS Score: 52 25 Multi AV Scanner detection for submitted file 2->25 27 Machine Learning detection for sample 2->27 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 regsvr32.exe 8->12         started        process5 14 iexplore.exe 2 83 10->14         started        process6 16 iexplore.exe 5 165 14->16         started        dnsIp7 19 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49746, 49747 YAHOO-DEBDE United Kingdom 16->19 21 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49748, 49749 FASTLYUS United States 16->21 23 10 other IPs or domains 16->23
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 01:00:45 UTC
File Type:
PE (Dll)
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6g45kuqlueyxtym3gnxfiliywc6z6oncwqoyrjzzmjoijaccfnzq._file
Verdict:
unknown
Similar samples:
1e778dc95bcfde018d54f0ba032949c08c199cf15cbd1b1366a81ed012e80e27
TrickBot
210e03682a3d02a4ed1787cab12d998629314fb1999e594e4f00cb0b54ca9b94
TrickBot
28cc94fb40f206ecd64d4fad4b6955ec81ffe52065b7249d0bf324e766b4d413
TrickBot
4491ecf1801788aece27b7cb76dcd3467dfd223372e1cb0c920073e857055d56
TrickBot
4acc9a92388472ce7e96d1d60b0071e21042c8b1320105be6794ddd0c0502022
TrickBot
4de0ce3057abcef1bbdb61712897d42f05dc24143bde0adf9fc3577ab4ab4fcf
TrickBot
53434f6d8c85d7f75478e0ef3abe447f3c18ea51aedb2d0afb3bb5100aa6147b
TrickBot
7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5
TrickBot
d935c653803a8efd039fad751bd98d8bd0ac36259640cbe7bedaed9c1663bc90
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon48 banker trojan
Link:
https://tria.ge/reports/210212-czwj6azrma/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
3c25416bfead2f1f76cba535a5a388655f74f335a003ed3b1532758c74bcd7d1
MD5 hash:
a6236916b70fc675d10a5c1ecebdf2c1
SHA1 hash:
38991c8097b4e0866474d9f5c48790b66d023418
Link:
https://www.unpac.me/results/d4ebf7f9-284f-4081-88ea-70fe32846046/
SH256 hash:
e0cc9e03a52564151224a7ca6d7332e67b39e99185df3c3333757e97370ce625
MD5 hash:
b8c0fbcba5e6a680220a93d6fe6b9816
SHA1 hash:
e5c67e103ee82812e3df93915c1db0666a3eff0e
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d4ebf7f9-284f-4081-88ea-70fe32846046/
SH256 hash:
f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73
MD5 hash:
48cab21fcbe254e7c83f4c1d455a39dc
SHA1 hash:
b96c1f765abb14eb401cacab6f6e203c3a255df9
Link:
https://www.unpac.me/results/d4ebf7f9-284f-4081-88ea-70fe32846046/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

TrickBot

Excel file xlsx 2a0715701189d587df4f40632957f0bbd12cc1e5847b6c8d017254d6ddce6ef1

TrickBot

DLL dll f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1001674/
  
Link
https://tria.ge/210211-f8g819feqe/
  
Dropped by
SHA256 2a0715701189d587df4f40632957f0bbd12cc1e5847b6c8d017254d6ddce6ef1
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/116865/
  
URLhaus
https://urlhaus.abuse.ch/url/1001727/
  
URLhaus
https://urlhaus.abuse.ch/url/1001758/
  
URLhaus
https://urlhaus.abuse.ch/url/1001771/
  
URLhaus
https://urlhaus.abuse.ch/url/1001776/

Comments