MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed
SHA3-384 hash: ed6f8159e34d4dc0829ce35f416ce9a7dbf63a67c92cfb97cece7dea5809a9fddabeca55559af8c2d1d9e849c551f2c0
SHA1 hash: 3841d976274ccd1a7e86118f11b8d7b61efb85c3
MD5 hash: 51452e51449a2df63d846872da9c82f5
humanhash: papa-sad-robert-edward
File name:51452e51449a2df63d846872da9c82f5.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:884'787 bytes
First seen:2021-06-23 06:48:00 UTC
Last seen:2021-06-23 07:48:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 53e4d13a217de8fcf024ca150e7234ba (9 x TrickBot)
ssdeep 12288:32YoSRduzDAMb8mnt494dJgnLgfK09XODNBRiM/k6m2U:GSRduzkM+94dJgnLl09XmNBjs6W
Threatray 793 similar samples on MalwareBazaar
TLSH B6154B41EA619227C5EB39F02A519B397966ECC95722C5F77FD0BC0CBE326C00936627
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51452e51449a2df63d846872da9c82f5.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 06:55:08 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/95f27a38-3c2b-465c-a473-9b6086f6d945

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167750/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16177.17599.26580.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e821423f-3056-4f48-9664-f781138bb36f
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806415
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438822 Sample: Z7VLdWbUdN.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 3 other signatures 2->49 7 Z7VLdWbUdN.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 cmd.exe 7->18         started        20 conhost.exe 10->20         started        process5 dnsIp6 37 186.97.172.178, 443, 49707, 49716 ColombiaMovilCO Colombia 12->37 39 41.77.185.182, 443, 49718, 49732 vdctelecomGN Guinea 12->39 41 8 other IPs or domains 12->41 57 Hijacks the control flow in another process 12->57 59 May check the online IP address of the machine 12->59 61 Writes to foreign memory regions 12->61 63 2 other signatures 12->63 22 svchost.exe 10 12->22         started        27 svchost.exe 12->27         started        signatures7 process8 dnsIp9 35 12.23.113.92, 443, 49735 ATT-INTERNET4US United States 22->35 29 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 22->29 dropped 31 C:\Users\user\AppData\...\Login Data.bak, SQLite 22->31 dropped 33 C:\Users\user\AppData\Local\...\History.bak, SQLite 22->33 dropped 55 Tries to harvest and steal browser information (history, passwords, etc) 22->55 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 06:48:13 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cfd2c5pdb35t6c7tzaz7hl4hm2cntcjksm4w7ajeabvrpiclmtwq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
13bebdb4628ed345121aaaae5c512e528d01f3cca6da932c165a7d261c0f0356
TrickBot
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
24dd0b8a2e2faff39ea54abc2654d91fdd7349aad14b0537f4d05a6af0b16ebe
TrickBot
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
TrickBot
437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528
TrickBot
4e2afdf4b77dc7fb7b36668f5ea70189a73f5acb78ba234d31b02b30227179ff
TrickBot
87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4
TrickBot
d5bbcb4b0242124fd01644dfe1528bbb2107d795d8528b9fff8e53e62f165356
TrickBot
f17f19350c6dbcf733c1d2fed10e8c853ac3af5117e8dc8122f06c87bd41d19f
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 783 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot113 banker trojan
Link:
https://tria.ge/reports/210623-7gmq4xwrzx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443
Unpacked files
SH256 hash:
f8105c849aabfa666b1a513a224d899509c74ce45a7d001a9aa12e7507a0a4bc
MD5 hash:
33aece77694f7ca4803d3c0c267e06a0
SHA1 hash:
e5584fc74193b1f1bf0c0bc092ca052f043f469e
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/cd551ebd-5f18-4229-8379-231265d6d119/
Parent samples :
7f77b60f4ba221f7a29938d0b3e8f568a4ecb4f010a122770a4173cd96d32c4e
b13776c2708961fadeba4d2fb3cf75f77e39688bd8969141675ef75044c5b3f9
1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed
b41d80b05441da71d2d8d0c2e46be861db8f6ef47746d61354e041461af113fc
cddb1b13c923f3c748425be6d91a06b3a64ca16b4deb1f322b47decd2b37b93e
9daa699ecef632ab2f605bd6917c410f676b22bd173f6ad4ed567fa4ce66d909
81fbe9091c45b4df68780d878b21111b8735edb18b902a3983d114c719f509c3
SH256 hash:
a39b6a594fcca2480fa92073b33051dd062fa1f1b6635c856106a4c9c4b4437a
MD5 hash:
c5cac172322ded727c9511de51bd01fc
SHA1 hash:
54a319c9e6f38f9002704626445c4c4fd593c11f
Link:
https://www.unpac.me/results/cd551ebd-5f18-4229-8379-231265d6d119/
SH256 hash:
d2fa1a6ed49191aabfad62739fb934ea0ad162b51aa209df9ce51525317e23a2
MD5 hash:
d655cb0c4d4a130f22054ee4f06b8800
SHA1 hash:
283e102d503ed09a8e9bbc8074bafd00b76e7b32
Link:
https://www.unpac.me/results/cd551ebd-5f18-4229-8379-231265d6d119/
SH256 hash:
1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed
MD5 hash:
51452e51449a2df63d846872da9c82f5
SHA1 hash:
3841d976274ccd1a7e86118f11b8d7b61efb85c3
Link:
https://www.unpac.me/results/cd551ebd-5f18-4229-8379-231265d6d119/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1373175/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167750/

Comments