MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
SHA3-384 hash: 8532df8bf41c03505e215cb50aac9b2f27f302d38030c942c614911a8845277148356dab716201b417a2e72d07603fab
SHA1 hash: 670d7d68bc9248481d9b6e44a2df5535b98e26de
MD5 hash: 81912f51960219818c5b55a0bafa674e
humanhash: echo-vegan-lion-august
File name:81912f51960219818c5b55a0bafa674e.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:487'424 bytes
First seen:2021-07-14 07:11:23 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 285edb96a4eb2f97aa48802e35f98fc6 (14 x TrickBot)
ssdeep 6144:cIzlI2lTAbw3TTIaThNALS0znc1hTF8PW8yLvBYQ8YiXCn6muSL7Cw5O547fEACA:vT8wIaThNv8nc3LvBYtYuuX/Ci78hH+
Threatray 819 similar samples on MalwareBazaar
TLSH T1AEA4CF1033C0C036E6BB037A495BDB5962A5BC608BF5C28B7F947E9D9E312868E35752
Reporter abuse_ch
Tags:dll rob107 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171600/
Detection(s):
SecuriteInfo.com.ArtemisE47F10B15903.30140.7321.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79b33282-2ee6-4ff6-8a50-88148b6d3fa8
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816053
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448464 Sample: T48FCcD5n1.dll Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->88 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 3 other signatures 2->94 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 process4 18 rundll32.exe 10->18         started        21 cmd.exe 1 10->21         started        23 rundll32.exe 10->23         started        signatures5 96 Writes to foreign memory regions 18->96 98 Allocates memory in foreign processes 18->98 25 wermgr.exe 18->25         started        29 cmd.exe 18->29         started        31 rundll32.exe 21->31         started        33 wermgr.exe 23->33         started        35 cmd.exe 23->35         started        process6 dnsIp7 76 148.235.154.164, 443, 49726, 49728 UninetSAdeCVMX Mexico 25->76 78 204.138.26.60, 443, 49713 NTT-COMMUNICATIONS-2914US United States 25->78 84 7 other IPs or domains 25->84 104 Hijacks the control flow in another process 25->104 106 May check the online IP address of the machine 25->106 108 Writes to foreign memory regions 25->108 112 2 other signatures 25->112 37 cmd.exe 11 25->37         started        42 cmd.exe 1 25->42         started        110 Allocates memory in foreign processes 31->110 44 wermgr.exe 31->44         started        46 cmd.exe 31->46         started        80 60.51.47.65, 443, 49729, 49732 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 33->80 82 185.56.76.28, 443 GRUPOINFOSHOPES Spain 33->82 86 9 other IPs or domains 33->86 48 cmd.exe 1 33->48         started        signatures8 process9 dnsIp10 66 12.23.113.88, 443, 49735 ATT-INTERNET4US United States 37->66 68 85.187.252.141, 443, 49734 ABINTER-ASBG Bulgaria 37->68 60 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 37->60 dropped 62 C:\Users\user\AppData\...\Login Data.bak, SQLite 37->62 dropped 64 C:\Users\user\AppData\Local\...\History.bak, SQLite 37->64 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 37->100 50 conhost.exe 37->50         started        52 conhost.exe 42->52         started        70 185.81.51.44, 443, 49727 VIA-SMSLV Latvia 44->70 72 24.162.214.166, 443, 49714, 49721 TWC-11427-TEXASUS United States 44->72 74 7 other IPs or domains 44->74 102 Writes to foreign memory regions 44->102 54 cmd.exe 1 44->54         started        56 conhost.exe 48->56         started        file11 signatures12 process13 process14 58 conhost.exe 54->58         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 01:19:51 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fnnvyoniyqauw45mebe4pvyq672z7rp4y5zj4o4jzvyt3nzzlrq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
17be3870a101845d72a72af9dde7bd7abd72f99a11d2894d60d014900669f59a
TrickBot
250d4fb488729b671611e96c8801875221b5086aa44562acd2b6a56488ca8150
TrickBot
430efdb79d9d0560d74c99566671d064f93746e4162fc8c492a5b023ac6c0442
TrickBot
6ac9af13a02c781f20484c344a61f47c1988b93f99786fcb93042678ac7be760
TrickBot
82ee229f96371decb519948d2b1cffdccb39859fca84909032acef7da5bd0093
TrickBot
c3f153bb4b44d9e0cb3cab0bf7eed03b8eea280b97756937dedbe74c7013a3d3
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
dea612148b5f17340638f8d3939c519013c5e28eb1aaacc2c026a1cbb885314b
TrickBot
ef59cf16bcd6d9d4da6595b18b4f874da6acfe6893773260af17fc34b58f3ad0
TrickBot
f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
TrickBot
+ 809 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob107 banker trojan
Link:
https://tria.ge/reports/210714-28btml3tgx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
5b7367b79ec2351459c8932efbd7ffc7afc08db4c53cfe4f26da2d25b35fb380
MD5 hash:
3e465b6a7816778ba4ac74ec0297ae41
SHA1 hash:
5d32ddbcff2433128943bfc6ba0ae827e6c6ed3d
Link:
https://www.unpac.me/results/9b2a321d-73b0-4d04-92e3-88c0b670be0a/
SH256 hash:
e488408289bd0dcc94cafb929be451e5729836f4ab2e63d8857f0775bb7e1d70
MD5 hash:
20fcd3bfcb0783046e14b846b60b6941
SHA1 hash:
149f763cbcb4c5c64019fba984a64013b49307d7
Link:
https://www.unpac.me/results/9b2a321d-73b0-4d04-92e3-88c0b670be0a/
SH256 hash:
a53445b54492ba6b85bc16afe1f9667c36473023e36e102784885bc09403a83b
MD5 hash:
0b451bfa61437e6bbdeee9633841e577
SHA1 hash:
0faeaed92e49d4b026eb4628ab47013117aac5d8
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b2a321d-73b0-4d04-92e3-88c0b670be0a/
Parent samples :
6ac9af13a02c781f20484c344a61f47c1988b93f99786fcb93042678ac7be760
250d4fb488729b671611e96c8801875221b5086aa44562acd2b6a56488ca8150
82ee229f96371decb519948d2b1cffdccb39859fca84909032acef7da5bd0093
c3f153bb4b44d9e0cb3cab0bf7eed03b8eea280b97756937dedbe74c7013a3d3
ef59cf16bcd6d9d4da6595b18b4f874da6acfe6893773260af17fc34b58f3ad0
17be3870a101845d72a72af9dde7bd7abd72f99a11d2894d60d014900669f59a
430efdb79d9d0560d74c99566671d064f93746e4162fc8c492a5b023ac6c0442
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
dea612148b5f17340638f8d3939c519013c5e28eb1aaacc2c026a1cbb885314b
f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
458844d1edad3253667e6eea0dc735a748e87ff784cbf12c80f05c15e96ec3d9
7d6688ec15f6fec19a2cc6743f3fe50f5dcf79d14f122f3ebdf844464c45abec
fccb8dea9ab7e194eadc863a8e7658b9076fddd4b645b4241ab5b9a33997afcc
8a5ab991e0f8318707d517aee2a9a0689b5908050e17b6afce77e83544fcaaa8
SH256 hash:
812ea970acb8ed5306bed9e3278261e13302dc9d8412e2e170dfd93a081e8015
MD5 hash:
588e6455cde75589b8911dac756c9c07
SHA1 hash:
017a608545f08c68f8f4f3391eae972e4903c08f
Link:
https://www.unpac.me/results/9b2a321d-73b0-4d04-92e3-88c0b670be0a/
SH256 hash:
f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3
MD5 hash:
81912f51960219818c5b55a0bafa674e
SHA1 hash:
670d7d68bc9248481d9b6e44a2df5535b98e26de
Link:
https://www.unpac.me/results/9b2a321d-73b0-4d04-92e3-88c0b670be0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll f95adae1cd46200a5b9d61024e3eb887bfacfe2fe63b94f1dc4e6b89edb9cae3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1451719/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171600/

Comments