MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de
SHA3-384 hash: 1d2ea0d398ca735e286dddd7677d0cc8877039b7b8c15be8cee3a6d341de47b241df6e7efae3b4722670fa594f098b20
SHA1 hash: 136d85a4cc7c09706a9358215784ab8c8bb6553a
MD5 hash: a2b1148f90db218396821d5f0e610e05
humanhash: sad-double-xray-robert
File name:jhfggfhg.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:360'960 bytes
First seen:2021-02-04 14:30:24 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 4898c2a18c150f53e6a7c2b16f02a3d4 (1 x TrickBot)
ssdeep 6144:0Z3p1Qh+g7uzkP/EfrYhCa6am8JBsxji8/Ye695Mx7OVJqoGO:0hQ4gPHEE96aLXKjH/xi5Mx7OVIoV
Threatray 131 similar samples on MalwareBazaar
TLSH E174F1486A7ECD40EF926FF9C5F8C8EE4C24BCF10E32982D5C8725C668BB146657C529
Reporter Scoobs_McGee
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115649/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/599427
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 14:31:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
23029ba6811d0fd53545cf0ad78b608e1c5849482a9ef56a2041a7319c81683e
TrickBot
309bca5d9fde32746cd61a7ea4b2da3ef8f6cf2de57ee40e835c1b26237c991a
TrickBot
32515d546db78a132c9c6b711f816797fcb110f491aaddcb9ac86a38849c3837
TrickBot
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
TrickBot
7623db769068c06d1a4546b31f25b6a0b84cda91c9b037d728c97dbebbc2ec15
TrickBot
82f3ca41a9732e3917fbd6f2be17d58b5bbf0da2fb825a018a9ef2a225f39a13
TrickBot
91020b6ada47f05e9941da3d5fc747a4bdf088e30fdbf010b50ce9ccf0de0cc6
TrickBot
a7af3791a39b09053d1760dbddfbfa08a63e39349893215ac572efe60f63f6fb
TrickBot
da5cbe3b9259ea79fe77d60ebb5e2840e37e239068160ffeccd4be2652a7e34c
TrickBot
f4736282bb5ae752c4c46789adbc1f21c4b09676e96fee3cc31627955d962065
TrickBot
+ 121 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob6 banker trojan
Link:
https://tria.ge/reports/210204-yl1ee7erg2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
85.93.159.98:449
92.242.214.203:449
202.21.103.194:449
169.239.45.42:449
45.234.248.66:449
103.91.244.102:449
118.67.216.238:449
117.212.193.62:449
201.184.190.59:449
103.29.185.138:449
79.122.166.236:449
37.143.150.186:449
179.191.108.58:449
85.159.214.61:443
149.56.80.31:443
Unpacked files
SH256 hash:
b5613b880cda0eaa097d869448f779e8f8ad107993fd6f46b7c737213c7239db
MD5 hash:
a36d2c72086dadb2bf98111009d81992
SHA1 hash:
fc51963b01b9132616d665b5d75793c73d744499
Detections:
win_trickbot_a4
Create hunting rule
Link:
https://www.unpac.me/results/0d6595aa-0623-4b6e-b1b0-d042b69fe55d/
SH256 hash:
481d124ad8b6674cc3e08ccb3d20545cd592330d3ca806860965774522d42a74
MD5 hash:
419e856bb41ce975c89e6dab4db7dea6
SHA1 hash:
30d34d9ba66d774c5088b85d878e46ab28c033f3
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/0d6595aa-0623-4b6e-b1b0-d042b69fe55d/
SH256 hash:
fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de
MD5 hash:
a2b1148f90db218396821d5f0e610e05
SHA1 hash:
136d85a4cc7c09706a9358215784ab8c8bb6553a
Link:
https://www.unpac.me/results/0d6595aa-0623-4b6e-b1b0-d042b69fe55d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

DLL dll fa8a4b51c739735940000aafaf9d3bd9b92963caa52f276f82ad415d6eb188de

(this sample)

anyrun
any.run
https://app.any.run/tasks/ce84e187-bf74-4baf-b43b-e59d94055865#
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115649/
  
URLhaus
https://urlhaus.abuse.ch/url/990445/

Comments