MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments

SHA256 hash: c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
SHA3-384 hash: d95db751e0dcab3d6fc2e7e62b804146dba177e8414b282578b4fc92d1593074d1835f17c3ea95eae0850600f3ca093b
SHA1 hash: e60d2828c4a5716d1d96ba1a141e239a2df374f8
MD5 hash: 7bb8f00948d80dc7a3936c4c1fa2b276
humanhash: alabama-colorado-four-early
File name:7bb8f00948d80dc7a3936c4c1fa2b276.exe
Download: download sample
Signature TrickBot
File size:528'443 bytes
First seen:2021-09-27 17:45:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 675872e23dfc0f62ffbc2f69c316f4bc (22 x TrickBot)
ssdeep 12288:cbVMh0tRyr3W3SfniM+uwkMx8nXoTT0WJZmo:WMh0tRy73lY8X2xJZmo
Threatray 3'986 similar samples on MalwareBazaar
TLSH T198B4D03535E08973D16319308EFD07E963B9BCA147B2958F8F902F0D3C7E556A43A2A6
File icon (PE):PE icon
dhash icon 71b119dcce576333 (167 x TrickBot, 5 x CobaltStrike, 5 x BazaLoader)
Reporter @abuse_ch
Tags:exe TrickBot

Intelligence


File Origin
# of uploads :
1
# of downloads :
217
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
7bb8f00948d80dc7a3936c4c1fa2b276.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 17:47:30 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
TrickBot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491679 Sample: zmbct5agcD.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 7 zmbct5agcD.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 39 179.42.137.105, 443, 49763, 49764 TelefonicadeArgentinaAR unknown 12->39 41 171.103.187.218, 449, 49775, 49780 TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH Thailand 12->41 43 8 other IPs or domains 12->43 59 Hijacks the control flow in another process 12->59 61 May check the online IP address of the machine 12->61 63 Writes to foreign memory regions 12->63 65 2 other signatures 12->65 20 svchost.exe 11 12->20         started        signatures7 process8 dnsIp9 33 109.87.143.67, 443, 49846, 49857 TRIOLANUA Ukraine 20->33 35 178.151.205.154, 443, 49840, 49851 TRIOLANUA Ukraine 20->35 37 9 other IPs or domains 20->37 25 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->25 dropped 27 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->27 dropped 29 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->29 dropped 31 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->31 dropped 53 Tries to harvest and steal browser information (history, passwords, etc) 20->53 file10 signatures11
Threat name:
Win32.Trojan.TrickBot
Status:
Malicious
First seen:
2021-09-27 17:46:11 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Result
Malware family:
trickbot
Score:
  10/10
Tags:
family:trickbot botnet:tot153 banker trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
70288da56e4da38f23b82ccc9b18f9133f7e38de4290f511cd3ce9030a99a254
MD5 hash:
60e8f1fde88645a2a5d696c780c0473b
SHA1 hash:
e1d291faee4a2e9fcf542731a287eff9a14d4299
SH256 hash:
432de043c90f22941f590b350c33be7ab4b4b24d1d9ed4fb5ec33ca6998dff06
MD5 hash:
99ab6f69dcc571bc7af0bb7c18f5bbdb
SHA1 hash:
337c144085b5f23257ab1c39761bfb883b0018b7
Detections:
win_trickbot_auto
SH256 hash:
c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
MD5 hash:
7bb8f00948d80dc7a3936c4c1fa2b276
SHA1 hash:
e60d2828c4a5716d1d96ba1a141e239a2df374f8

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5

(this sample)

  
Delivery method
Distributed via web download

Comments