MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 6fc676e30cf28110639d8ceb6dd435aade49eda40096768fe2a3f2b466d6a0b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
TrickBot
Vendor detections: 5
| SHA256 hash: | 6fc676e30cf28110639d8ceb6dd435aade49eda40096768fe2a3f2b466d6a0b1 |
|---|---|
| SHA3-384 hash: | 6745ced083f4faec5481df440b64c48e2c387036a39bb8c08f08eaa2b6e8b75d0b196c853bd196f943076925085b8021 |
| SHA1 hash: | ed21aea78411ef5faefc244548522c5f8cfbb531 |
| MD5 hash: | c9a5c6039d0dd468242bf2945c0635c1 |
| humanhash: | georgia-salami-pluto-oranges |
| File name: | fjkvjdkdfg.exe |
| Download: | download sample |
| Signature | TrickBot |
| File size: | 501'760 bytes |
| First seen: | 2020-04-14 13:24:03 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 266a897ac3355e6eb11ed3aa657dd5bb (1 x TrickBot) |
| ssdeep | 12288:ODNYSAeejntEizDJOTF5MNFqLbQFJ1lODpyRGDyC:Ou13jBXJOTIqLkFJ1lODpyR |
| Threatray | 2'892 similar samples on MalwareBazaar |
| TLSH | 8CB45A142394A335F21B243374594BA4BD96BCD7D371A8AA7BC12F2DA97D1C2CF26309 |
| Reporter |  abuse_ch |
| Tags: | exe TrickBot |
abuse_ch
TrickBot malspam hitting Germany, various sending IPs. Example:HELO: feirweather.space
Sending IP: 194.58.120.186
From: "Messner Teresa" <info@feirweather.space>
Subject: Dies ist das geänderte Mitarbeiter-Antragsformular für Krankheit innerhalb des Arbeitnehmergesetzes
Attachment: Krankschreibung14042020.doc
Sender domains:
eburton.site
feirweather.space
hallieburton.space
hdsupply.space
phenixa.site
rochea.site
teknion.space
townland.site
tuliholdings.space
Sending IPs:
151.248.112.232
194.58.120.186
194.87.202.130
194.87.202.132
194.87.202.156
194.87.202.237
194.87.202.250
194.87.202.60
194.87.202.94
TrickBot payload URL:
https://mobilefueldoctor.co.uk/fjkvjdkdfg.exe
TrickBot C2s:
51.89.115.112:443
185.141.27.225:443
151.80.212.114:443
5.182.210.178:443
188.119.113.60:443
91.235.129.199:443
185.234.72.193:443
194.5.250.200:443
185.14.29.141:443
185.99.2.197:443
185.234.72.50:443
194.5.250.201:443
108.170.61.186:443
217.12.209.159:443
185.99.2.44:443
51.89.115.108:443
164.68.120.58:443
164.132.255.19:443
148.251.185.164:443
94.250.250.69:443
94.250.249.170:443
195.123.237.105:443
190.214.13.2:449
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
202.29.215.114:449
171.100.142.238:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
103.227.147.82:449
96.9.77.56:449
103.5.231.188:449
110.93.15.98:449
200.171.101.169:449
Intelligence
File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
80 / 100
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-04-14 13:35:22 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
26 of 30 (86.67%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
trickbot
Similar samples:
+ 2'882 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Cobalt_functions |
|---|---|
| Author: | @j0sm1 |
| Description: | Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
doc Delivery method
Distributed via e-mail link
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.