MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565
SHA3-384 hash: d4f10d306d70003f7bb91c1c7319ea4b0a02a5504cb01180570ed79da6beb53f5bcb1087f700dd549866f17ee6fc36b3
SHA1 hash: 3bb6269473aafafd9b5b8931fdbcd6bf2aa10b55
MD5 hash: c7e6ab5b45d664feb300b309566f3107
humanhash: harry-mobile-high-september
File name:c7e6ab5b45d664feb300b309566f3107.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:453'632 bytes
First seen:2021-10-27 12:29:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea5a56b411909a74a5afb4f0920c62b1 (4 x TrickBot)
ssdeep 6144:Cm18XMqwPrNX41U+GREB+n/MnzHq6b47w6dHU0QpNGjak9hgqEXGGy:j1r1rNX41TGR7nuzHdMk6duNeZAGF
Threatray 4'236 similar samples on MalwareBazaar
TLSH T1BCA4F11136C0C076F0731279CDE9A676863ABC715F2469DBB7C51BAE0F792D0AA38247
File icon (PE):PE icon
dhash icon 115060f4f0f972b0 (4 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200528/
Detection(s):
SecuriteInfo.com.Variant.Zusy.405052.10049.23670.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6179464ddb358dd15edfb6aa/reports/64af8d77-b456-4bb2-a537-bc869b827c5b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4711404d-3852-4b74-a2f8-a36762764b0d
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877773
Signature
Found detection on Joe Sandbox Cloud Basic with higher score
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1836 Sample: zpBXh0mWs7.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 30 wtfismyip.com 2->30 32 spclient.wg.spotify.com 2->32 34 2 other IPs or domains 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 zpBXh0mWs7.exe 2->8         started        11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 50 Writes to foreign memory regions 8->50 13 wermgr.exe 4 8->13         started        18 cmd.exe 8->18         started        20 zpBXh0mWs7.exe 11->20         started        22 conhost.exe 11->22         started        process6 dnsIp7 36 105.27.205.34, 443, 49809, 49812 SEACOM-ASMU Mauritius 13->36 38 128.201.76.252, 443, 49781, 49783 PedroFArrudaJuniorMEBR Brazil 13->38 40 wtfismyip.com 84.22.120.25, 49782, 80 TILAANL Germany 13->40 28 C:\Users\user\AppData\...\zpBXh0mWs7.exe, PE32 13->28 dropped 52 Tries to harvest and steal browser information (history, passwords, etc) 13->52 54 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 13->54 56 Multi AV Scanner detection for dropped file 20->56 58 Writes to foreign memory regions 20->58 24 wermgr.exe 20->24         started        26 cmd.exe 20->26         started        file8 signatures9 process10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:30:14 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0014daeadce3a90746e84a3ddb7388be202598fba7dc67826550df3456e70941
TrickBot
074870cf4c7b80cd7e61c731dcae68c1707c55457ef1004c6c32cadc1fdf5206
TrickBot
3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652
TrickBot
3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e
TrickBot
473dfbecc3818114569a9a9f80b0a51ad74b3d88fa778158ab145e839ecb042c
TrickBot
5f98da253ec5d1ffbbe07b9ee727a8d8162911b70d59d905f2a2f52579f524d2
TrickBot
784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e
TrickBot
b980379d3c681f6c4278bc831365a5b3e4c4b8807172c7f5faa9d48ffebb19de
TrickBot
+ 4'226 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lip141 banker suricata trojan
Link:
https://tria.ge/reports/211027-pphbrshahm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
6968385a375a1818cf0cf2ed3f64b023d28e4aee504210dd679c49e41698da02
MD5 hash:
3cb1f3b3c420530739c507eb962ce89a
SHA1 hash:
d997bd487154aab136f6aa503ad585cfae872279
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/972e1a2b-ecbe-438e-b2f6-4bde680596c6/
Parent samples :
784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e
061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565
SH256 hash:
061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565
MD5 hash:
c7e6ab5b45d664feb300b309566f3107
SHA1 hash:
3bb6269473aafafd9b5b8931fdbcd6bf2aa10b55
Link:
https://www.unpac.me/results/972e1a2b-ecbe-438e-b2f6-4bde680596c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/061489cf971a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/200528/
  
URLhaus
https://urlhaus.abuse.ch/url/1698135/
  
Delivery method
Distributed via web download

Comments