MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f48c889018613e2c96fcfe50a0b7ab313cfc53634c7b8497152c48c944f50bdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	f48c889018613e2c96fcfe50a0b7ab313cfc53634c7b8497152c48c944f50bdf
SHA3-384 hash:	2f362aaef791527251ce4a268713ff521835b7c49c393ba0ac0d751737e2906a2bda509ef0585cbb8b1dc23209bdc81b
SHA1 hash:	527d28a019d5f11bbf7d90bbd117c78e47c0d131
MD5 hash:	a01094ce262a6722a50b5622e9b8822e
humanhash:	asparagus-floor-steak-texas
File name:	a01094ce262a6722a50b5622e9b8822e.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	266'240 bytes
First seen:	2020-08-05 11:36:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8e2aa84a6c2c98887f880d49accd3864 (2 x TrickBot)
ssdeep	6144:kPXNzcJ40Yz1I/QgrgGKFL0eWR8qQ/rXjB1XfwM:KzdVpogvWR83/rTbf3
Threatray	5'380 similar samples on MalwareBazaar
TLSH	94440112B6D2C8FAF64240355CCEAFA527BAF5010F6599832B44174F9F703D19E3AAC6
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/39449/

Detection(s):

PUA.Win.Packer.Armadillo-65

SecuriteInfo.com.Variant.Graftor.780766.32475.7315.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Sending a UDP request

DNS request

Sending an HTTP GET request

Unauthorized injection to a system process

Sending a TCP request to an infection source

Result

Threat name:

Trickbot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/410983

Signature

Allocates memory in foreign processes

Delayed program exit found

Found malware configuration

Machine Learning detection for sample

May check the online IP address of the machine

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/f48c889018613e2c96fcfe50a0b7ab313cfc53634c7b8497152c48c944f50bdf/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-08-05 11:38:09 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6sgireayme7czfx47zikbn5lge6pyu3djr5yjfyvfremsrhvbppq._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

77bfe57005d7d29dd60d810c6f2a1daeefee51ee52fa98d4d6d5693c8a06034a

TrickBot

784717bbd68643a1f19323e521fd25381b36b700d76d7221ce8b081fc809bb5c

TrickBot

7984df6018af3f340757e48e5fb6105c6476c1832c23cb3ec9e0b8a08623436e

TrickBot

7b274825019cc4b9818767e353a90dd8af7d18a91110739cc4079f5bbd6d2dbe

TrickBot

c21982594c699fb0393d9d87dbc9ac0ffa931daaff40714f33c7fe52c8c961b2

TrickBot

cc42a51ff65b9787f17a6d442b1688057449ea20f3630d58a9a3af68eed71105

TrickBot

d00c3b92cbed81d0a68b1c123efceceb812351caafa30dc1253dfd5b8b20a937

TrickBot

e06c2375f3711e571d41e2d9b7c2601665e5c28f7cb1e43f06b57a29371ff5bb

TrickBot

ee029ab56b4e0370c9b0cf875a7f7e399c00446f797d9a9bd98e8a97969b5327

TrickBot

+ 5'370 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

trojan banker family:trickbot

Link:

https://tria.ge/reports/200805-53xsgcraas/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Trickbot

Malware Config

C2 Extraction:

95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f48c889018613e2c96fcfe50a0b7ab313cfc53634c7b8497152c48c944f50bdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ReflectiveLoader Create hunting rule
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/39449/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample