MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02d94ba6b618432fbff565565a638042fa9ffca2676e99c4624db5208376542c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	02d94ba6b618432fbff565565a638042fa9ffca2676e99c4624db5208376542c
SHA3-384 hash:	fca91ba698bd2afe05b6d34c7a940a8b3cb3a2f8bf50d0671cd73dad51e1e62f208e9196eea0bafd21b11543fdcc1f24
SHA1 hash:	30caa950d0e908ad6ce2462748b87f2601efdfd7
MD5 hash:	b23c6c3b5962970d8d61a8b67f48a2ab
humanhash:	white-mango-kansas-earth
File name:	02d94ba6b618432fbff565565a638042fa9ffca2676e99c4624db5208376542c
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	569'392 bytes
First seen:	2020-11-06 11:37:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2125b5f60a60a392f99267b5695ea082 (13 x TrickBot)
ssdeep	6144:QCPdiOzsdiOPCaguZWZwvcdiOuNCc5vIJCty1pHsqWCU9TTNYWmk:QE9Y92uZWZn9VPD11hDUJZb
Threatray	5'859 similar samples on MalwareBazaar
TLSH	24C49D16B290D4B6D6CA053ADDA2CEF84168EC5ACC10E79BF395FF6F34BA1428D71109
Reporter	seifreed
Tags:	TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Vebzenpak-9782036-0

Win.Malware.Vebzenpak-9782048-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Connection attempt

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02d94ba6b618432fbff565565a638042fa9ffca2676e99c4624db5208376542c/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-10-28 22:27:56 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=almuxjvwdbbs7p7vmvlfuy4ail5j77fcm5xjtrdcjw2sba3wkqwa._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

7984df6018af3f340757e48e5fb6105c6476c1832c23cb3ec9e0b8a08623436e

TrickBot

7b274825019cc4b9818767e353a90dd8af7d18a91110739cc4079f5bbd6d2dbe

TrickBot

91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3

TrickBot

9aa0f2a8b7cf8b2943a8d95a4808170aeae514e14cd318f5e8ab200e6e846838

TrickBot

a37228b4f506ba3e0c19aac4cff3ff3158fc53a3bdeb1dee6fc77a0a9868b3ac

TrickBot

c21982594c699fb0393d9d87dbc9ac0ffa931daaff40714f33c7fe52c8c961b2

TrickBot

cc42a51ff65b9787f17a6d442b1688057449ea20f3630d58a9a3af68eed71105

TrickBot

e06c2375f3711e571d41e2d9b7c2601665e5c28f7cb1e43f06b57a29371ff5bb

TrickBot

f48c889018613e2c96fcfe50a0b7ab313cfc53634c7b8497152c48c944f50bdf

TrickBot

+ 5'849 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:lib800 banker trojan

Link:

https://tria.ge/reports/201106-2c6f4h962j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Trickbot

Malware Config

C2 Extraction:

95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449

Unpacked files

SH256 hash:

02d94ba6b618432fbff565565a638042fa9ffca2676e99c4624db5208376542c

MD5 hash:

b23c6c3b5962970d8d61a8b67f48a2ab

SHA1 hash:

30caa950d0e908ad6ce2462748b87f2601efdfd7

Link:

https://www.unpac.me/results/8a8c927c-c471-4dbb-9d14-95faa1ff8fe2/

SH256 hash:

c95e9a478716b70fd3cd41df75fd84e0249589deb545f2606e4083afdb6470fa

MD5 hash:

ba732e65531160940178dd3db5c7bcd5

SHA1 hash:

5fc1cd98c6cdd055b1ef4ba3ed54c1ecd38b9c5d

Link:

https://www.unpac.me/results/8a8c927c-c471-4dbb-9d14-95faa1ff8fe2/

SH256 hash:

c9745689d7fd6d34837960f518360339cdc7a6e7e82e26acedb3c9fde75ef850

MD5 hash:

8fbe36fa58e2d3ba72e992aff01ab254

SHA1 hash:

b2c3edbde486814923a649276f11c2de2c60bd45

Detections:

win_trickbot_a4

win_trickbot_g6

win_trickbot_auto

Link:

https://www.unpac.me/results/8a8c927c-c471-4dbb-9d14-95faa1ff8fe2/

Parent samples :

eb44f5ac14c2880848a35261d44e8a1027797138856770c7fda3718aeb0c7af5
02d94ba6b618432fbff565565a638042fa9ffca2676e99c4624db5208376542c
ba157865bc87f870332e49a55edeb0d19f8351fd410b6d1dfff3bd2917006a6b
dd6df1fd627a7b99588b807b8fc58aae480732e7f8fdb5bbd6c7b67b329ce9d5
346c4bdd618a7bda16c4298591f7d9d5d2de69b031c98a9720ce03e482129eea
2a8c90837c9111bfdea7eb357b2346471d18a7bc74778ca8f9cb6322112a55f4
042138804cfe14b527e922e0256c35ce3ef305701a2b309475b9656ebbc52342
24685ae80833bb2a534ca942681d445795038cbb83be3bb19844c17a7a4b6398
1a88779e8e9a622d5ca5afb2a67d6f979f32e02abf8fbde4e5070c90a5b7972b

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_trickbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample