MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae
SHA3-384 hash:	2f542a8ead0e8a055eae41ead47b5a7f01721c5f219e0ae9234fb7a13f3c4ec3736255bfc10e650f72c583687687b0c1
SHA1 hash:	dd613242070d5083983eba5742244055cba38a6c
MD5 hash:	bfbc8373bc8c5406a7bbb82fd5088882
humanhash:	alaska-alabama-salami-quebec
File name:	TempoYx30.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	1'971'712 bytes
First seen:	2021-11-22 17:37:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d31639bc44b992226d49e6ecf1a2a248 (5 x TrickBot)
ssdeep	49152:V4tdahKfb8JIhWtqrPMqsGJznOmWAw0Asdz3x9:
Threatray	4'385 similar samples on MalwareBazaar
TLSH	T12D95C190338872EBF6CBD93B5330D82AA26638F57A7750C89BD36F8D196DE404F24945
File icon (PE):
dhash icon	787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter	Anonymous
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

831

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TempoYx30.exe

Verdict:

Malicious activity

Analysis date:

2021-11-22 17:43:11 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/ea80dcf7-d741-40f5-a8ee-be8fc307b071

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Creating a file in the %temp% directory

DNS request

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm

Link:

https://www.filescan.io/uploads/619bd57f94a88037d2feca51/reports/f0c34055-f3ac-488b-837e-39c578860d55/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00a3eae6-30ff-4c42-b40c-5d1ebafaf964

Result

Threat name:

TrickBot

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/894077

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae/

Threat name:

Win32.Trojan.Trickpak

Status:

Malicious

First seen:

2021-11-22 17:38:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 45 (57.78%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

TrickBot

64c5309cb3d2245b3dfadf321296c8a7cf86c9ae33764e09a41932c3c4fc823e

TrickBot

6db7642e42467842b97947426d78418e58c1e0b25f125ce0faa8bfa6436a70b2

TrickBot

784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e

TrickBot

968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f

TrickBot

9890dddc8087d395c5eab7410880b35d3e790d11ab08f2b4a039818e814f21ed

TrickBot

b6ec985f433a33d1c9c38ad7ab288bc2be516075391b67a64cc36f3f668fb1c3

TrickBot

d8ec9f0a62bf5507bee6eaa6fa254937b65a0e27fee0906d715aa7fefa4da968

TrickBot

e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb

TrickBot

f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b

TrickBot

+ 4'375 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/211122-v7qczsgeem/

Unpacked files

SH256 hash:

e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0

MD5 hash:

4610eeac2606fb87588f945a68575a6b

SHA1 hash:

bfe3f6d3fb86a6538b3364e966abafb647eed021

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/ddc2df45-2a69-407e-8524-88b3e40c1727/

Parent samples :

2a039fd90e9150cf1caacb66326d0a3aae6f050c6d0a20e0adbaa2a2e3025450
d8ec9f0a62bf5507bee6eaa6fa254937b65a0e27fee0906d715aa7fefa4da968
0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae
e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0
c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654
355d4c4c8eabcf15161ac4754c6a20fd1945c91a90f88e90de1d2ba2ac1545de

SH256 hash:

04aa2ab81243d5e372aa6dae3f9843f23a1b0144d2dbe06e42170b133762f172

MD5 hash:

abcb2da972e4de000510067e28672b4b

SHA1 hash:

42094cd000f4829b9e05ec4d5d5d01603804dc1b

Link:

https://www.unpac.me/results/ddc2df45-2a69-407e-8524-88b3e40c1727/

SH256 hash:

0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae

MD5 hash:

bfbc8373bc8c5406a7bbb82fd5088882

SHA1 hash:

dd613242070d5083983eba5742244055cba38a6c

Link:

https://www.unpac.me/results/ddc2df45-2a69-407e-8524-88b3e40c1727/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0d8f71039695/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/208307/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample