MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1392af38980ae18dea6cf1f2a504e2cbe0c5a39afd1d35de3f5b6406115b3b2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	1392af38980ae18dea6cf1f2a504e2cbe0c5a39afd1d35de3f5b6406115b3b2b
SHA3-384 hash:	94361b0941790e148ce86acd625f5b1c1eb6edddde7bb97a7f18859b2f191c0f14131f8643214d0d2bacdb9071b832c4
SHA1 hash:	a1ea30a851908af7bfb3ba47f467914d0b7284b5
MD5 hash:	f4b0a94931bd383134fb4be32971a67e
humanhash:	uranus-august-blossom-helium
File name:	f4b0a94931bd383134fb4be32971a67e.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	450'989 bytes
First seen:	2020-08-04 10:18:31 UTC
Last seen:	2020-08-05 07:01:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f659b493cd16246e9de665422422669b (62 x TrickBot)
ssdeep	6144:GcgG+DlDlDlPKa4cjcZ70+7FQrH+48PiR5zcakf:v+dKa4cjcaDr+48PQ5z4
Threatray	168 similar samples on MalwareBazaar
TLSH	A7A48E11FD630042D829057C086A4438DF1B2F7AFD39AA125FC1BE4F47B61666AA5B3F
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38466/

Detection(s):

SecuriteInfo.com.Trojan.Packed.140.20303.30840.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Sending a UDP request

Delayed writing of the file

Deleting a recently created file

Launching a process

Sending a custom TCP request

Unauthorized injection to a system process

Result

Threat name:

Trickbot

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/409022

Signature

Allocates memory in foreign processes

Delayed program exit found

Found malware configuration

May check the online IP address of the machine

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1392af38980ae18dea6cf1f2a504e2cbe0c5a39afd1d35de3f5b6406115b3b2b/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-08-04 07:27:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Verdict:

unknown

Result

Malware family:

trickbot

Score:

10/10

Tags:

trojan banker family:trickbot

Link:

https://tria.ge/reports/200804-7wmcb8rkyn/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Trickbot

Malware Config

C2 Extraction:

51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1392af38980ae18dea6cf1f2a504e2cbe0c5a39afd1d35de3f5b6406115b3b2b