MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5
SHA3-384 hash: d57fba01f87484940c95f012e5763e05cc8b24aa796358d069d59731a9881f84e9e2e9a99e1d933ea8a471c844c7b903
SHA1 hash: bc09a769ad2749955b2214b8d4051894eb225829
MD5 hash: fcf94dfc58e09cace2777ad5e49e1dbc
humanhash: eight-pizza-single-steak
File name:fcf94dfc58e09cace2777ad5e49e1dbc.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:354'816 bytes
First seen:2021-02-24 18:24:58 UTC
Last seen:2021-03-15 17:52:33 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash f2c474e93666bbd585aa036f9c203ef8 (3 x TrickBot)
ssdeep 6144:bOIWW/GElfb6Nm+k+fWnYz7BHZiRCn9wzlZ0x:bOIvNfONXfyYzNZu49Yy
TLSH 0874BE30F994442AC6FA063728A5FFC3F43EA28C6F245757B62C5ABE87214615219F93
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119061/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/617225
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357617 Sample: OzRW6h38aL.dll Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 8->17         started        signatures5 56 Writes to foreign memory regions 12->56 58 Allocates memory in foreign processes 12->58 19 wermgr.exe 12->19         started        22 wermgr.exe 12->22         started        25 iexplore.exe 1 74 15->25         started        27 WerFault.exe 23 9 17->27         started        process6 dnsIp7 52 Tries to detect virtualization through RDTSC time measurements 19->52 54 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 19->54 32 192.162.238.186, 449, 49780 VINASTERISK-ASUA Ukraine 22->32 34 45.155.173.242, 443, 49772 COMBAHTONcombahtonGmbHDE Germany 22->34 36 7 other IPs or domains 22->36 29 iexplore.exe 153 25->29         started        signatures8 process9 dnsIp10 38 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49763, 49765 YAHOO-DEBDE United Kingdom 29->38 40 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49762, 49764 FASTLYUS United States 29->40 42 11 other IPs or domains 29->42
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 18:25:12 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6y5rnhtfrhjeao7tftfai7vnje7q7nsjajidm3n575fxeochmw2q._file
Verdict:
suspicious
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon80 banker trojan
Link:
https://tria.ge/reports/210224-196v8yynw6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
41.77.134.250:449
45.155.173.242:443
192.162.238.186:449
142.112.79.223:449
122.2.28.70:449
154.126.176.30:449
45.230.244.20:443
182.253.107.34:443
200.52.147.93:443
123.200.26.246:449
131.255.106.152:449
177.85.133.118:449
103.225.138.94:449
142.202.191.164:443
95.210.118.90:449
36.94.62.207:443
201.20.118.122:449
180.92.238.186:449
103.130.6.244:449
202.91.41.138:449
187.20.217.129:449
Unpacked files
SH256 hash:
349f5d29a1e1d65222b36c018813a832e31b9580b71d275ba054db7adb970817
MD5 hash:
4aa0192c95f1790e451f99a1dee3d56d
SHA1 hash:
2b032cace997f29876e58245f59e079923c9a064
Link:
https://www.unpac.me/results/403c2e08-1142-4b9c-985d-7d8a601f2203/
SH256 hash:
f6547df7c24605531be615704b2544ee9f5fee03bbf80d39c5da4174ac61632d
MD5 hash:
a8de3e30825ed57fcb8a065fa9a8c321
SHA1 hash:
2b0d17770b22d7f0ff936cf944342b672afa29c8
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/403c2e08-1142-4b9c-985d-7d8a601f2203/
SH256 hash:
f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5
MD5 hash:
fcf94dfc58e09cace2777ad5e49e1dbc
SHA1 hash:
bc09a769ad2749955b2214b8d4051894eb225829
Link:
https://www.unpac.me/results/403c2e08-1142-4b9c-985d-7d8a601f2203/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll f63b169e6589d2403bf32cca047ead493f0fb6490250366dbdff4b72384765b5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1027765/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119061/

Comments