MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
SHA3-384 hash: b5ffb3b5c243a34805b9c7761f68d4ea88cd9b1f9e5e28cbd73b3c945f5ca72183eb8b25d0a6e9a938f9f32202e54ce5
SHA1 hash: a897f6fb6fff70c71b224caea80846bcd264cf1e
MD5 hash: d7d6889bfa96724f7b3f951bc06e8c02
humanhash: yankee-venus-angel-seventeen
File name:0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
Download: download sample
Signature TrickBot
Create hunting rule
File size:5'617'050 bytes
First seen:2020-08-28 12:50:42 UTC
Last seen:2021-05-14 07:44:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 98304:C/dcHQ18Jd5QgmLuqHTernf4+zo7lkckufeIP7gyA01gNQMB3FurAI6NH:dHQ+Jd52fTwf4Lxk8P7gyhenFKAIS
Threatray 14 similar samples on MalwareBazaar
TLSH 2546F171F284ACA2C01701B49C78E6B0256FFF560A3D8A027676760F59BA3D27536F4B
Reporter JAMESWT_WT
Tags:185.117.73.222 TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.ObliqueRAT-7591466-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a file
Modifying an executable file
Deleting a recently created file
Creating a window
Sending a UDP request
Launching a process
Moving a recently created file
Replacing files
Creating a file in the Program Files subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connection attempt
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Result
Threat name:
Neshta ObliqueRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/453507
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Neshta
Yara detected Oblique Rat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279124 Sample: ZViJJ3meEi Startdate: 28/08/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 9 other signatures 2->70 10 ZViJJ3meEi.exe 4 2->10         started        14 svchost.com 2->14         started        16 Video.UI.exe 57 49 2->16         started        process3 dnsIp4 42 C:\Windows\svchost.com, PE32 10->42 dropped 44 C:\ProgramData\...\vcredist_x86.exe, PE32 10->44 dropped 46 C:\ProgramData\...\VC_redist.x64.exe, PE32 10->46 dropped 54 98 other malicious files 10->54 dropped 74 Creates an undocumented autostart registry key 10->74 76 Drops PE files with a suspicious file extension 10->76 78 Drops executable to a common third party application directory 10->78 80 Infects executable files (exe, dll, sys, html) 10->80 19 ZViJJ3meEi.exe 3 4 10->19         started        48 C:\Users\Public\Video\frame.exe, PE32 14->48 dropped 50 C:\Windows\directx.sys, ASCII 14->50 dropped 52 C:\Users\Public\Video\hrss.exe, PE32 14->52 dropped 21 lphsi.exe 14->21         started        58 activation2.eastus2.cloudapp.azure.com 40.79.86.63, 443, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->58 60 settings-ssl.xboxlive.com 16->60 file5 signatures6 process7 process8 23 svchost.com 1 19->23         started        file9 40 C:\Users\user\AppData\...\ZViJJ3meEi.exe, PE32 23->40 dropped 72 Sample is not signed and drops a device driver 23->72 27 frame.exe 2 4 23->27         started        signatures10 process11 file12 56 C:\Users\Public\Video\lphsi.exe, PE32 27->56 dropped 82 Drops executables to the windows directory (C:\Windows) and starts them 27->82 31 svchost.com 27->31         started        33 svchost.com 27->33         started        signatures13 process14 process15 35 lphsi.exe 31->35         started        38 hrss.exe 33->38         started        dnsIp16 62 185.117.73.222, 3344 HSAE Netherlands 35->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2020-02-20 13:21:00 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
0a5e60319a443610bd184d1d0140036332d56430e32976e79c6aeec24be7d701
TrickBot
1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb
TrickBot
52055c63e2a063c0d4489918ff3bc7e63c9ff94bb56ad95003d8594d01bb81d2
TrickBot
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
TrickBot
6cdda681496328866d2578f5134c0f87be9918419d6ad31f2e8a7b1b479f7a87
TrickBot
8ccce2a5d01211e5db0bcc8721dbea06422c5f3133466e4945e4d301d44df3b2
TrickBot
b54934cb8e1ff68d2c4306e5a6eb0f9e649ad1680960253c0cfa0c35a6c4d313
TrickBot
c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9
TrickBot
d6634157030fbc5aa6d88565981868dcacedfd91b8031ab0e2e8dd1a3f1b1c16
TrickBot
e1614a878888eddb3296e856dc5f4e63a926b9e4c899cf09da12a8f477ace4cf
TrickBot
+ 4 additional samples on MalwareBazaar
Result
Malware family:
oblique
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:oblique spyware
Link:
https://tria.ge/reports/200828-hkf3ryzkl6/
Behaviour
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
JavaScript code in executable
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies system executable filetype association
ObliqueRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52325/

Comments