MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
SHA3-384 hash: 0de2eead98c0e099306e83bf3ab57d98555c539bf3f4fbd7b9575b848bb5e280896b3536c3b7888dcf57616e4e90dfa9
SHA1 hash: 654c6fe607e475fda57863c3cd87d70aa067dc8a
MD5 hash: 0ceac8c2172cc3bd0b6d28b40deee16d
humanhash: pasta-iowa-eight-illinois
File name:0ceac8c2172cc3bd0b6d28b40deee16d.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:532'480 bytes
First seen:2021-09-22 18:12:36 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 5c9a9773c96ef9c47915be337e1489a1 (6 x TrickBot)
ssdeep 6144:tIl3f5on8R0CBtsabvb90iRugpw8mI3R5y4MAIJ+CczfBsx2X/HSpu9SiWaKMVe1:tk32q0CB59wq6cBsxsPUmYa1B3js
Threatray 1'229 similar samples on MalwareBazaar
TLSH T168B4CF42B2C0C076E27F537149775B5A26AEFD248BF1A94BB744BE3D0F35291852EA03
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190384/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Trickpak.4c.24101.28805.UNOFFICIAL
Create hunting rule

Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6065f5e-3946-4020-b275-79b9ee277d2f
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/855905
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488336 Sample: wc8FX0j4Gm.dll Startdate: 22/09/2021 Architecture: WINDOWS Score: 96 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Trickbot 2->50 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        signatures5 62 Writes to foreign memory regions 12->62 64 Allocates memory in foreign processes 12->64 66 Queues an APC in another process (thread injection) 12->66 19 wermgr.exe 12->19         started        23 cmd.exe 12->23         started        25 rundll32.exe 15->25         started        27 wermgr.exe 17->27         started        29 cmd.exe 17->29         started        process6 dnsIp7 36 46.99.175.149, 443, 49752 IPKO-ASAL Albania 19->36 52 May check the online IP address of the machine 19->52 54 Tries to detect virtualization through RDTSC time measurements 19->54 56 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 19->56 58 Writes to foreign memory regions 25->58 60 Allocates memory in foreign processes 25->60 31 wermgr.exe 25->31         started        34 cmd.exe 25->34         started        signatures8 process9 dnsIp10 38 46.99.175.217, 443, 49753, 49761 IPKO-ASAL Albania 31->38 40 194.146.249.137, 443, 49767 VIRTUAOPERATOR-ASPL Poland 31->40 42 6 other IPs or domains 31->42
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 18:13:11 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
49e61873c2864b4a39bfb6c520ea9644d1b38088cd11a6d0f2f6ced91b793856
TrickBot
5cd5117a6e5ce9208897678ed6c44bf821f02326b01386589e56e0adbe0581f0
TrickBot
83f374f57d674ac1abf87f968ba37237e5403bcae01ded47b7a912c4c5a58163
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
b7da1ed4d4b5461005d4a9ec7e54c69bc4a86ba94571c0c61840987bf87af1ab
TrickBot
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
TrickBot
d423f00832f44b4195a686c691b2f20e55bd4c31145a43561f83f1ea661bfc60
TrickBot
def94d349e3c5637e40dcf603fd7c41d8807f13c0804bea48f1e098fd7629578
TrickBot
fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898
TrickBot
+ 1'219 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob133 banker trojan
Link:
https://tria.ge/reports/210922-wts3dsgabn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
6235365fae1fcaa6e8f3343e765ef47eab65dc17d9820834a6e72b4929b275d0
MD5 hash:
b96a0c7500cdd30940f9d3b67c320318
SHA1 hash:
adbbd1371cff40c59d2f5497ab5b0988e9897e74
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/c66cbb39-f4c4-442b-b928-808826cda031/
Parent samples :
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
fdbbfcaac090ccd1b7ce3289ea862e5c8f0ced4318f368db0e6976df950e9706
135dfd26acc2ab044b4159e7e0da289e2c7835c4049100106a00ca7d232bddea
0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277
SH256 hash:
ba545e55228cfc740224d9e71fe535d8a61aa420bc7291e51976627c60560111
MD5 hash:
f7a03324b77866ca1f90f8997e371e4b
SHA1 hash:
9162794fefe5a8a20264a07fe8fe75c10e8894d8
Link:
https://www.unpac.me/results/c66cbb39-f4c4-442b-b928-808826cda031/
SH256 hash:
75bea7e6e72fc4fcbd5fb4bc5e4adb274b89acec08b50890212b2c4fa3586e41
MD5 hash:
8fe3f8f60b6658aec777f30282b32425
SHA1 hash:
33b2c8dd7dea6755ffadaa9e81acbea0cd620b5a
Link:
https://www.unpac.me/results/c66cbb39-f4c4-442b-b928-808826cda031/
SH256 hash:
5e1d15a0f3ce1f88516b539b6f28a210385bafc05cb4399ecd07389619d051e7
MD5 hash:
c6fc9418fb7b4b970923b1a634bd0903
SHA1 hash:
024822d0a0091823083054fb47900b8cd4a658a2
Link:
https://www.unpac.me/results/c66cbb39-f4c4-442b-b928-808826cda031/
SH256 hash:
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
MD5 hash:
0ceac8c2172cc3bd0b6d28b40deee16d
SHA1 hash:
654c6fe607e475fda57863c3cd87d70aa067dc8a
Link:
https://www.unpac.me/results/c66cbb39-f4c4-442b-b928-808826cda031/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190384/

Comments