MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
SHA3-384 hash: c8f48173f7e26bbfddaf97a35570c6d6af2e602762e9b97d798054f0854f07f90b4c86ce136178d0b6b3f607786bc773
SHA1 hash: 6d7b9360799259e0cfe6f94a4223f64c2d7f5a66
MD5 hash: 9088550e62f4edbb1e74d0449b83bd63
humanhash: kilo-oxygen-east-nevada
File name:rob_111CoaDsHA.png
Download: download sample
Signature TrickBot
Create hunting rule
File size:614'400 bytes
First seen:2021-07-23 21:22:46 UTC
Last seen:2021-07-24 21:30:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash de819f5e850867cc4ac54717f1c6cd5d (4 x TrickBot)
ssdeep 12288:LuuxubkppdzT4cqzakjUX39jZs7YNXJeZK9fU4wB:CubpdzF8akjUX3Fy8NXJeZz4e
Threatray 890 similar samples on MalwareBazaar
TLSH T19CD4D031BAC2C1B6E05F0139E556D74D61E9BE209B6494C3FFE04A4D6F712A28F34A4E
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter malwarelabnet
Tags:dll rob111 TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173778/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win32.Trickpak.gen.29305.26481.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26d5aeb2-7409-45ee-8a86-c81c18e688e5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/821072
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453483 Sample: rob_111CoaDsHA.png Startdate: 23/07/2021 Architecture: WINDOWS Score: 84 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Sigma detected: CobaltStrike Load by Rundll32 2->69 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        19 cmd.exe 1 10->19         started        21 rundll32.exe 10->21         started        signatures5 61 Writes to foreign memory regions 16->61 63 Allocates memory in foreign processes 16->63 65 Delayed program exit found 16->65 23 wermgr.exe 16->23         started        27 cmd.exe 16->27         started        29 rundll32.exe 19->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 55 184.74.99.214, 443, 49733, 49736 TWC-11351-NORTHEASTUS United States 23->55 57 ipecho.net 23->57 59 7 other IPs or domains 23->59 75 May check the online IP address of the machine 23->75 77 Writes to foreign memory regions 23->77 79 Tries to detect virtualization through RDTSC time measurements 23->79 81 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 23->81 35 cmd.exe 1 23->35         started        83 Allocates memory in foreign processes 29->83 37 wermgr.exe 29->37         started        41 cmd.exe 29->41         started        signatures8 process9 dnsIp10 43 conhost.exe 35->43         started        49 ipinfo.io 34.117.59.81, 49723, 49734, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 37->49 51 74.85.157.139, 443, 49721 FUSEPR Puerto Rico 37->51 53 8 other IPs or domains 37->53 71 Hijacks the control flow in another process 37->71 73 Writes to foreign memory regions 37->73 45 cmd.exe 1 37->45         started        signatures11 process12 process13 47 conhost.exe 45->47         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-23 19:46:35 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1c8a67342a601e649f56e32383fecea6d62036a38a7edd2991bfd0e3323fd5f4
TrickBot
9da8a5a0b5957db6112e927b607a8fd062b870f2132c4ae3442eb63235f789e1
TrickBot
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
TrickBot
ab31cadce548ff34783ae6a838a3ece8484f4c96b02de8c9b314c0f96c064ab7
TrickBot
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
TrickBot
cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
TrickBot
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
TrickBot
+ 880 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob111 banker trojan
Link:
https://tria.ge/reports/210723-gxtbwxek7a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
3a9dedc4fa21835cf378f4b2e086fb48367a1bb08fe8013b114945d353e1d4de
MD5 hash:
e44782a8ce60ce5a315c646ec3972db8
SHA1 hash:
50697bd7f9b8dd388db5784d07cdbbe00729f9c5
Link:
https://www.unpac.me/results/6a501f5a-c3da-4d16-b34b-b8b13192be8c/
SH256 hash:
32f4b20d82d856b3837af63fb6de23bb77a68d1f4b6b53bc0533b07700b3f3ec
MD5 hash:
d70682c5898630dd2d4c0edf6bb804b7
SHA1 hash:
53e52dde4aafcb8864a9913f6cfc7cbdfa71bfe4
Link:
https://www.unpac.me/results/6a501f5a-c3da-4d16-b34b-b8b13192be8c/
SH256 hash:
9c95ab10c67c5ac8980a77eb838a30f168a6b9dc627489cd32041d02ef4e67f3
MD5 hash:
2c2802221441e510b67049f640224888
SHA1 hash:
9c4533416484b1449fa2052fb65ecbb1a9e68602
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a501f5a-c3da-4d16-b34b-b8b13192be8c/
SH256 hash:
b332110017443a559761b7ac377ce66febf0ff65872dedd326dd1b9c32c9de8a
MD5 hash:
d3abc7b9b6f3d55cf8fc678960eb9eb4
SHA1 hash:
ff3c928fed8b14121597097b44c017cd964eab80
Link:
https://www.unpac.me/results/6a501f5a-c3da-4d16-b34b-b8b13192be8c/
SH256 hash:
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
MD5 hash:
9088550e62f4edbb1e74d0449b83bd63
SHA1 hash:
6d7b9360799259e0cfe6f94a4223f64c2d7f5a66
Link:
https://www.unpac.me/results/6a501f5a-c3da-4d16-b34b-b8b13192be8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/173778/
  
URLhaus
https://urlhaus.abuse.ch/url/1477657/
  
Delivery method
Distributed via web download

Comments