MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c
SHA3-384 hash: a3612c1deff78976343e226fbcde7e7f70a396380ab1f04d6e1da383f0789bff7ba9e569546bcb7d688876ef012f7624
SHA1 hash: 6010fb83b30adfeba34ac6f302c2c8e865cdc705
MD5 hash: 1e19cdc980488fb82c9245fde3ba28f8
humanhash: queen-white-helium-maryland
File name:1e19cdc980488fb82c9245fde3ba28f8.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:422'912 bytes
First seen:2021-12-29 12:46:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 297ed3de0a49d4831344ce5a84729097 (5 x TrickBot)
ssdeep 6144:YFn61kciCuRBb15sZwkst8K5YHJHJ4wX4wp16SiVyaE6Clb4p:YF61k9CuRhaNK5Ypp4wo8OVlE7R4p
Threatray 4'322 similar samples on MalwareBazaar
TLSH T15C94F120B3E5C071D18721718A62CBB24FBA7C722591BD8F6FD656794F38A90972831F
File icon (PE):PE icon
dhash icon e4d0d0f8e4e8d804 (7 x TrickBot)
Reporter abuse_ch
Tags:exe top166 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'037
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e19cdc980488fb82c9245fde3ba28f8.exe
Verdict:
Malicious activity
Analysis date:
2021-12-29 12:48:49 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/9bad4f8d-74fb-4025-919e-74e2bf16ea12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216787/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
DNS request
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3486/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware packed trickbot
Link:
https://www.filescan.io/uploads/61cc58ca4ab5c44cbf561588/reports/6d5830e5-8d41-4958-876d-bb7fb4cae12b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff529303-8565-4425-95ac-4e6c5006077a
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913781
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 12:47:12 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 27 (85.19%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahdj2cwmq42jso5jzp7jwdnemfv3aucb4eb27w2io5mzsw4t5zoa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
27298bd1cc024cf7807b22de38b4bf6cc24109dae62a16583e50f7fe65c94590
TrickBot
5c032f85c0a9a4a551f6c0057ecc78aec6b625df77fcbf6e76c685e362613a92
TrickBot
83f374f57d674ac1abf87f968ba37237e5403bcae01ded47b7a912c4c5a58163
TrickBot
caf56d168c770350da83ad489809007df7813c3bef213c35f1c6e1f4bf3142de
TrickBot
d9ef2723a2d54f8774224b15ad9324598e2213597cf882292af713223b097294
TrickBot
fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898
TrickBot
+ 4'312 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top166 banker suricata trojan
Link:
https://tria.ge/reports/211229-pz8ayadddp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
Malware Config
C2 Extraction:
181.129.85.98:443
189.112.119.205:443
189.51.118.78:443
186.121.214.106:443
49.176.188.184:443
61.69.102.170:443
213.32.252.221:443
89.46.216.2:443
103.36.79.3:443
103.108.97.51:443
95.140.217.242:443
41.175.22.226:443
190.109.169.161:443
186.159.12.18:443
190.109.171.17:443
181.196.148.202:443
186.47.75.58:443
186.42.212.30:443
190.214.21.14:443
187.108.32.133:443
201.184.226.74:443
186.159.5.177:443
Unpacked files
SH256 hash:
d7a12d0784fdc26d39cfb3b9ca96d0302ce0ebad932ef02bf48b4655cae55249
MD5 hash:
eb9873a0cae39028427f4775cec81804
SHA1 hash:
9be742d7729539c2d610c8da5cc5b3584c77876f
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/907f21bf-ebf6-4013-a2a7-56df48f350ed/
Parent samples :
01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c
fcde8f225a14fe70009f32c4acfba0407b5fd6b0da5c2f65778434359962e5c1
SH256 hash:
01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c
MD5 hash:
1e19cdc980488fb82c9245fde3ba28f8
SHA1 hash:
6010fb83b30adfeba34ac6f302c2c8e865cdc705
Link:
https://www.unpac.me/results/907f21bf-ebf6-4013-a2a7-56df48f350ed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/01c69d0acc87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 01c69d0acc8734993ba9cbfe9b0da4616bb05041e103afdb487759995b93ee5c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1929693/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216787/

Comments