MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e
SHA3-384 hash: fbfb6e80c03db3de8e5f6d0e6b17bb6fd07bede59caa78e08688cb99ae7c9b472cd799ff7fe588c8a2c55068d7d44b0e
SHA1 hash: 679fb05317480d4565963a3ce506c8d7b568fc8c
MD5 hash: 6aa7925f6d03c57b8b7ff2a05f6f06bb
humanhash: ten-lithium-lamp-equal
File name:01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e
Download: download sample
Signature TrickBot
Create hunting rule
File size:2'671'616 bytes
First seen:2021-06-01 15:01:07 UTC
Last seen:2021-06-01 15:41:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 555560b7871e0ba802f2f6fbf05d9bfa (1 x TrickBot)
ssdeep 49152:m0dZXWp9v+FfUpMz8n+ZuZUB4+0zX9aYUhg+6nXmv632EEZnoZzf0G:xdkKRMRzX9anumy31E+Zz
Threatray 765 similar samples on MalwareBazaar
TLSH DAC52F32A360905EC2531AF7E45CCAA9B5A4F0B5551F6DE85FC2E8CFF6342F51EA8810
Reporter Anonymous
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e
Verdict:
No threats detected
Analysis date:
2021-06-01 15:06:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45acdc1d-f802-4ff8-a992-0ac4b92eca26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163870/
Detection(s):
SecuriteInfo.com.Variant.Trickbot.Zusy.54.10412.18762.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/795388
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e/
Threat name:
Win32.Ransomware.TrickbotZusy
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 15:02:10 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahzmqstqleijfv2zmjvlzwswzwe2h53lkfrhnbo7eyi6qylfpi7a._file
Verdict:
suspicious
Similar samples:
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
TrickBot
3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
TrickBot
437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528
TrickBot
507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
acb81dadb44ea5fac7a47aa1829865e765524bff935c74e2f31af97ed81b7479
TrickBot
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
TrickBot
f17f19350c6dbcf733c1d2fed10e8c853ac3af5117e8dc8122f06c87bd41d19f
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 755 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob96 banker trojan
Link:
https://tria.ge/reports/210601-2w4hd7bfca/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163870/

Comments