MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 764553cbeade2cc41c018b08fb22381a32a6c475b86353458d8fbc1aab86afeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 764553cbeade2cc41c018b08fb22381a32a6c475b86353458d8fbc1aab86afeb
SHA3-384 hash: 88c8986c9aabd0edb00c0da3fbe5f70b10a5855faf017ec44443030e29dcec1485e3feda622bb4779da284ee298071ea
SHA1 hash: 701d69218764e3fa307fffd4632d6ebe95c98293
MD5 hash: 3158ed9cb3f14df0e9322739607e6322
humanhash: lemon-ink-uranus-sodium
File name:104YAs26ZA.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:345'255 bytes
First seen:2020-03-23 19:02:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4eb3f2e4f2eac9862ba327ed0f000854 (1 x TrickBot)
ssdeep 6144:PWTtSNOOswIda4RXUTmwiCR6aR0lgesVOIsZrCC2QcOaF9rFyT:PWTtSswsa49wVstsAIwOmcVXu
Threatray 2'748 similar samples on MalwareBazaar
TLSH E5740103B725E423D68586B8CD76E7BD0727FD594B104ACB26907E6F29373E19E32089
Reporter abuse_ch
Tags:exe TrickBot


Avatar
abuse_ch
dropped via TrickBot malspam -> web download:

HELO: mail.rvcountry.us
Sending IP: 198.50.186.192
From: dealer@rvcountry.us
Subject: Your order approved
Attachment: INVOICE.529.doc

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Gen.NN.ZexaF.34100.vq1@aO9aESoO.15052.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Trickbot
Create hunting rule
Status:
Malicious
First seen:
2020-03-24 03:57:46 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozcvhs7k3ywmihabrmepwirydizknrdvxbrvgrmnr66bvk4gv7vq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
2d0d08b27eec389f3edd036b4bb4ded2c24500bf53dba2a3a46eb2ecd36105e6
TrickBot
34df4fec6798befd9aa30d72fe35f258f36e70e787cc1a8554de86ba8632a312
TrickBot
497eebb26dbf500508b344dec05bbadb1e0421d77be6defc150bce9f88ea37b9
TrickBot
76edf0ebea99cf07ff5bb900193c4efa05e971c2bc2097ec70d5e54ad7b3dce8
TrickBot
814c1770aa6e418212eeec6a5170a1aba281370750bb22d040acfec544cb34e3
TrickBot
841fccdc97e1f86bd50c1437517ce63c0969598a2aafd3064fd950b6d9bebd9d
TrickBot
c2d499169a652c5c86ef28b7dca25f23e986bdd93b23fe02115923f698d61b58
TrickBot
d494077303e7a373e64379d2b7bb80695809d3c9c64c993d324775f33d8b798a
TrickBot
da995f78d6ba4f7acab4a421e759cc15d2a3b8ca5549edd76605252e410d65ac
TrickBot
f8b31cf177d5a4de939ee8c19d629df9548ac33721c47c66d71bc376922ec259
TrickBot
+ 2'738 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

TrickBot

Word file doc 8852e60e66a34f9b1ab39855178332ab5bc6e28194c005b13bb72ca23c2be2ed

TrickBot

Executable exe 764553cbeade2cc41c018b08fb22381a32a6c475b86353458d8fbc1aab86afeb

(this sample)

8bec9444c4b418d032bf40d39d3cba08128bba559872483c40f4ad9f74266fc2

TrickBot

Word file doc 8852e60e66a34f9b1ab39855178332ab5bc6e28194c005b13bb72ca23c2be2ed

  
URLhaus
https://urlhaus.abuse.ch/url/328946/
  
Dropped by
MD5 0047b42c24e8f009de9420255848ee9d
  
Dropping
SHA256 8852e60e66a34f9b1ab39855178332ab5bc6e28194c005b13bb72ca23c2be2ed
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 8852e60e66a34f9b1ab39855178332ab5bc6e28194c005b13bb72ca23c2be2ed

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments