MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee
SHA3-384 hash: 5b0f9dbcc79a83821f197d6b80dbf69a3f64142d7ff33c66af8b23a998093cf85fe797fc46f91fd864182c9b2c3846c2
SHA1 hash: 697bfc0d601e704cf603506adda8590a3b5832e8
MD5 hash: b334ee94717042f0eec8afc014711302
humanhash: vermont-double-purple-gee
File name:b334ee94717042f0eec8afc014711302.dll
Download: download sample
Signature TrickBot
Create hunting rule
File size:557'056 bytes
First seen:2021-07-21 18:05:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash f3deb6209dc9c95daaecc9f849af840f (12 x TrickBot)
ssdeep 6144:6nhWubOStZ6AbgmgwLp3gUhWeGtwOPc/woVPHma1MXohuPATdTpNSTrbkYW412ph:6nTltgBNwxgUXl/DGaXhu45pI3rep
Threatray 856 similar samples on MalwareBazaar
TLSH T101C4CF2235E08577C4EF16345E667778A3FBBD942BF2C147678A891C6D339028B22327
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:dll rob109 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173085/
Detection(s):
SecuriteInfo.com.Trojan-Spy.TrickBot.9984.29939.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fda61b56-3a17-4739-8521-6bc7d443e58f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/819687
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452098 Sample: oMNhCoZdeT.dll Startdate: 21/07/2021 Architecture: WINDOWS Score: 92 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Sigma detected: CobaltStrike Load by Rundll32 2->80 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 cmd.exe 1 10->16         started        18 rundll32.exe 10->18         started        21 rundll32.exe 10->21         started        signatures5 23 rundll32.exe 16->23         started        82 Writes to foreign memory regions 18->82 84 Allocates memory in foreign processes 18->84 26 wermgr.exe 18->26         started        29 cmd.exe 18->29         started        31 wermgr.exe 21->31         started        33 cmd.exe 21->33         started        process6 dnsIp7 90 Writes to foreign memory regions 23->90 92 Allocates memory in foreign processes 23->92 35 wermgr.exe 23->35         started        39 cmd.exe 23->39         started        70 190.144.10.242, 443, 49790 TelmexColombiaSACO Colombia 26->70 72 45.36.99.184, 443, 49784, 49786 TWC-11426-CAROLINASUS United States 26->72 74 14 other IPs or domains 26->74 94 May check the online IP address of the machine 26->94 96 Tries to detect virtualization through RDTSC time measurements 26->96 98 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 26->98 signatures8 process9 dnsIp10 58 38.110.100.104, 443, 49753, 49755 BELAIR-TECHNOLOGIESCA United States 35->58 60 170.238.117.187, 443, 49758, 49792 America-NETLtdaBR Brazil 35->60 62 8 other IPs or domains 35->62 86 Hijacks the control flow in another process 35->86 88 Writes to foreign memory regions 35->88 41 cmd.exe 11 35->41         started        46 cmd.exe 1 35->46         started        signatures11 process12 dnsIp13 64 5.181.80.128, 443, 49796 TELEHOUSE-ASBG Bulgaria 41->64 66 94.140.114.239, 443, 49794 NANO-ASLV Latvia 41->66 68 4 other IPs or domains 41->68 52 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 41->52 dropped 54 C:\Users\user\AppData\...\Login Data.bak, SQLite 41->54 dropped 56 C:\Users\user\AppData\Local\...\History.bak, SQLite 41->56 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 41->100 48 conhost.exe 41->48         started        50 conhost.exe 46->50         started        file14 signatures15 process16
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 09:58:48 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72i55kkfpzozfvr4xf3vritysoppgoyffg6onfg3uv6s3nok5xxa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1c8a67342a601e649f56e32383fecea6d62036a38a7edd2991bfd0e3323fd5f4
TrickBot
6b9c6a3cb61aa69e521120369f8d4bfbc91a4259dfe79996a512e2a1c3cd85ef
TrickBot
7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1
TrickBot
8eb708fb8f044596b841b47c2d75f6c02f878f5685b75008084c70752b961d15
TrickBot
ade2a738f75f052722923641168d0b3862981e0dd23b31834c1520123a73be49
TrickBot
cc874aecc69d4a5b5694f59c3896fe36ec29a44ce77e4f07c7cd5ec9f3b04688
TrickBot
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
TrickBot
d4d87a208df0ba460ccc94d8b7c62e223e4f0a18fa2b799f13ab5ee70f3c2e6c
TrickBot
dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed
TrickBot
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
TrickBot
+ 846 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob109 banker trojan
Link:
https://tria.ge/reports/210721-297qrq66le/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
938812d5f46ffe93c903743719992f2b63a8bfdd619adbb85a88137e9ed28330
MD5 hash:
59509d380c2b8dc8babc705bd262e749
SHA1 hash:
e65a7e2026e1af085ff3e80f9486ef3bc5cc1f00
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f9bdc125-072d-485f-969b-715c9d5225a6/
Parent samples :
dafc058d57b736297e2e8c5126a3a4310e007c32cdaecdbe5af8e8eca05f33ed
d4d87a208df0ba460ccc94d8b7c62e223e4f0a18fa2b799f13ab5ee70f3c2e6c
7bc0a27df5b8420ca23081fb973bb68729bab7b6229513c81019f7be76deb8e1
1c8a67342a601e649f56e32383fecea6d62036a38a7edd2991bfd0e3323fd5f4
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26
fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb
9da8a5a0b5957db6112e927b607a8fd062b870f2132c4ae3442eb63235f789e1
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
7c19373d58728b0e1b36cf30af5dca5eb5975acaaf2b8b0eeac0f87a4f82ce06
ab31cadce548ff34783ae6a838a3ece8484f4c96b02de8c9b314c0f96c064ab7
SH256 hash:
7429e3e9681fdfebc8210a744a9e41c7ad849f7af0c611ee4c272a67cbd44251
MD5 hash:
8c1a2825ab2da0ef39175720516294ca
SHA1 hash:
bdba87361cabe6814d5be5c0bb60b68f29b6e98a
Link:
https://www.unpac.me/results/f9bdc125-072d-485f-969b-715c9d5225a6/
SH256 hash:
59fc89c6cc4e85280791ab15e2e63e64fa4fd971bb57c0e266969bb2dbd9bc9a
MD5 hash:
dade50b747b1edd25607b2a6e7caa31a
SHA1 hash:
4d78b173bfd5bdf95d687c3bdfa3f8218e342bf4
Link:
https://www.unpac.me/results/f9bdc125-072d-485f-969b-715c9d5225a6/
SH256 hash:
8ec4c1b7bd6dc445b04d8d93740bcc72ee3ea94316e321c9fc7b5d77bfd314d5
MD5 hash:
9b49ff370e20a1581da344390b5a1d94
SHA1 hash:
085dd34e7281f8669a1e94001167cecd6c2be741
Link:
https://www.unpac.me/results/f9bdc125-072d-485f-969b-715c9d5225a6/
SH256 hash:
fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee
MD5 hash:
b334ee94717042f0eec8afc014711302
SHA1 hash:
697bfc0d601e704cf603506adda8590a3b5832e8
Link:
https://www.unpac.me/results/f9bdc125-072d-485f-969b-715c9d5225a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

DLL dll fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1469126/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173085/

Comments