MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
SHA3-384 hash: b14e863c3c25ff5d938e7a2bb73e8bbb9d73df20326a7e743f1b7be278247d29e3ed746c458e09e5df982d5de7cacf38
SHA1 hash: 7651ebc07591218626294f82b7240346a34cbd7b
MD5 hash: 2928280c57a302bc16c47687ffa6fb5b
humanhash: gee-tango-harry-edward
File name:052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
Download: download sample
Signature TrickBot
Create hunting rule
File size:163'808 bytes
First seen:2020-10-24 21:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:SH46pwuexbq0J2uKpQTbFgq5xvhPFFPZ31C72Bm+UgkrS2n2icz:04weEu7FhPbPZ319nkF
Threatray 4 similar samples on MalwareBazaar
TLSH ADF312F74CB6D793FB4861B7A3B27B0D7D1D4644CA5A0F66E3096C38D19CAF8A484105
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75274/
Detection(s):
Win.Malware.Cerbu-6992546-0
Create hunting rule

Win.Malware.Cerbu-6992551-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508691
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Trickbot e-Banking trojan config
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303463 Sample: ce8lMhh1UN Startdate: 24/10/2020 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 7 other signatures 2->42 7 ce8lMhh1UN.exe 3 2->7         started        11 ce9lMhh1UN.exe 2->11         started        13 ce9lMhh1UN.exe 2->13         started        process3 file4 26 C:\Users\user\AppData\...\ce9lMhh1UN.exe, PE32 7->26 dropped 28 C:\Users\...\ce9lMhh1UN.exe:Zone.Identifier, ASCII 7->28 dropped 46 Delayed program exit found 7->46 15 ce9lMhh1UN.exe 7->15         started        48 Hijacks the control flow in another process 11->48 50 Writes to foreign memory regions 11->50 52 Allocates memory in foreign processes 11->52 18 svchost.exe 11->18         started        54 Injects a PE file into a foreign processes 13->54 20 svchost.exe 13->20         started        signatures5 process6 signatures7 56 Antivirus detection for dropped file 15->56 58 Multi AV Scanner detection for dropped file 15->58 60 Hijacks the control flow in another process 15->60 62 5 other signatures 15->62 22 svchost.exe 3 3 15->22         started        process8 dnsIp9 30 185.249.255.77, 443 M247GB Russian Federation 22->30 32 179.107.89.145, 449 LDTelecomunicacoesLTDABR Brazil 22->32 34 2 other IPs or domains 22->34 44 Creates autostart registry keys with suspicious names 22->44 signatures10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 16:32:16 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aurgjllz4ko3ulsfotze3eh4cudf3ybgqx2pysrqrqi6s4v7olaq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
23df6c7581b2fe80336763ab3f25db6fdd1c6249b01f75beb58793628eb0c615
TrickBot
261e6a161980bf628360fc371e791ccd31740ec571ebd523e742404e350ffb05
TrickBot
6952da5cbad1a97c504747baeb0f42391c78567b1f70bdeab2a8c60c1b28f39d
TrickBot
7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
evasion trojan banker family:trickbot persistence
Link:
https://tria.ge/reports/201024-ngmx5kdj26/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Windows security bypass
Malware Config
C2 Extraction:
209.121.142.202:449
5.102.177.205:449
209.121.142.214:449
95.161.180.42:449
203.86.222.142:443
173.220.6.194:449
179.107.89.145:449
46.20.207.204:443
69.122.117.95:449
68.96.73.154:449
185.42.192.194:449
189.84.125.37:443
68.227.31.46:449
107.144.49.162:443
46.72.175.17:449
144.48.51.8:443
46.243.179.212:449
81.177.255.76:449
37.230.112.67:443
92.53.78.159:443
92.53.77.41:443
185.159.130.203:443
91.235.129.76:443
37.46.128.226:443
185.249.255.77:443
37.230.114.164:443
109.234.37.39:443
89.223.31.103:443
80.93.182.201:443
Unpacked files
SH256 hash:
052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
MD5 hash:
2928280c57a302bc16c47687ffa6fb5b
SHA1 hash:
7651ebc07591218626294f82b7240346a34cbd7b
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7f5834f-d004-4f44-bceb-0b67a2bce28c/
SH256 hash:
c39f4ee0608a434569db0163725a4366ddb35e375e58168831b89f140fb1e2ff
MD5 hash:
fa7011ca344a9028625d4224a3db0e03
SHA1 hash:
b5dce9a475a1676e9c816aa14a8ea539b79a15bc
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7f5834f-d004-4f44-bceb-0b67a2bce28c/
Parent samples :
23df6c7581b2fe80336763ab3f25db6fdd1c6249b01f75beb58793628eb0c615
c39f4ee0608a434569db0163725a4366ddb35e375e58168831b89f140fb1e2ff
5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Upatre
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/75274/

Comments