MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9
SHA3-384 hash: 84f65cac42470c9f3920019b8fb60f3975be1c0528c180a180839b60198b36de966f6cae2aabf532b3c5c777dd75a027
SHA1 hash: 98f77caf24f14dca0fa163596a730269037f2065
MD5 hash: ee566f0e04b497770c5baa4de14c416f
humanhash: single-romeo-carbon-minnesota
File name:ee566f0e04b497770c5baa4de14c416f.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:656'384 bytes
First seen:2021-11-07 08:38:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a49715e49b2891839bf716e121ca434 (12 x TrickBot)
ssdeep 12288:InZndx1krxFPqBSPcLQuDACflBMhhDKG/M:AZdxuQSP/u8Qm5J
Threatray 2'006 similar samples on MalwareBazaar
TLSH T115D4E0103390C032D5A324718A69DBB58E7EB861676275CF3BD91E7E5F24AD1EA3430E
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203004/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.38286.19831.22095.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/618790a92084b424af0dafea/reports/67c1591c-f752-4021-9b25-7e19796cd1fe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f014ef4-daea-460e-bc6d-38fb8ab6e9df
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884752
Signature
Found detection on Joe Sandbox Cloud Basic with higher score
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517208 Sample: SXCjsXDXXU.exe Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 32 wtfismyip.com 2->32 34 91.143.129.102.zen.spamhaus.org 2->34 36 2 other IPs or domains 2->36 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 4 other signatures 2->58 8 SXCjsXDXXU.exe 2->8         started        11 cmd.exe 1 2->11         started        13 UserOOBEBroker.exe 2->13         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 8->60 15 wermgr.exe 4 8->15         started        20 cmd.exe 8->20         started        22 SXCjsXDXXU.exe 11->22         started        24 conhost.exe 11->24         started        process6 dnsIp7 38 103.146.232.154, 443, 49785 WIDENET-AS-INWideNetcomIndiaIN unknown 15->38 40 36.95.23.89, 443, 49774, 49775 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 15->40 42 5 other IPs or domains 15->42 30 C:\Users\user\AppData\...\SXCjsXDXXU.exe, PE32 15->30 dropped 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 46 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 15->46 48 Multi AV Scanner detection for dropped file 22->48 50 Writes to foreign memory regions 22->50 26 wermgr.exe 22->26         started        28 cmd.exe 22->28         started        file8 signatures9 process10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-11-07 08:39:04 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3nml5zaqr77hsm4owuvbkfqpw7qsajh65yboh4nabnay5wcbxuq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0014daeadce3a90746e84a3ddb7388be202598fba7dc67826550df3456e70941
TrickBot
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
TrickBot
33fcd639567316ceffba1be151d878ece3af93f5a6949be1387d3c98435c5bf9
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
85f057d2c37c0cd3a6d8c12dc70b77d871b5d04fd7a1377e7722e33c298060c5
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
9c8e26bdf89634254162a5529bd2c8c3bc4c2215be3d7cb39a47fcd0327c045d
TrickBot
9dbffb4b069247648835fbdbc7ee71d467ee258a37b05797e83facfe53e61015
TrickBot
cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc
TrickBot
+ 1'996 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot176 banker trojan
Link:
https://tria.ge/reports/211107-kkbafahgh7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
36.91.117.231:443
36.89.228.201:443
103.75.32.173:443
45.115.172.105:443
36.95.23.89:443
103.123.86.104:443
202.65.119.162:443
202.9.121.143:443
139.255.65.170:443
110.172.137.20:443
103.146.232.154:443
36.91.88.164:443
103.47.170.131:443
122.117.90.133:443
103.9.188.78:443
210.2.149.202:443
118.91.190.42:443
117.222.61.115:443
117.222.57.92:443
136.228.128.21:443
103.47.170.130:443
36.91.186.235:443
103.194.88.4:443
116.206.153.212:443
58.97.72.83:443
139.255.6.2:443
Unpacked files
SH256 hash:
9335d48fdc4d8f658194291028c32450f823fdc0521bf6e823bb0e7882c5b0b7
MD5 hash:
0f9de9501b0d3f28fed2cd9734296642
SHA1 hash:
92f3ad27a41774ae916f5cc742ef70f6598e5b6f
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a2bddbc-416c-464e-819b-2b617e518320/
Parent samples :
22fb786d79039626d478c88e16ad8da6fd1525a2dfae6f8e2510b0522c063377
06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9
92f8619538ca801f9af78facfcdd8df39bf355b1e5d0edd6bce9a0fa9c64b89d
SH256 hash:
06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9
MD5 hash:
ee566f0e04b497770c5baa4de14c416f
SHA1 hash:
98f77caf24f14dca0fa163596a730269037f2065
Link:
https://www.unpac.me/results/5a2bddbc-416c-464e-819b-2b617e518320/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 06dac5f720847ff3c99c75a950a8b07dbf090127f770171f8d005a0c76c20de9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1755435/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/203004/

Comments