MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff
SHA3-384 hash: ba64917b0f419c98f5b8cfaa74ac9dc8dc25487e3b314e503343a9df5fc521f2cee49080314427d1c288935c014b35bf
SHA1 hash: fff329c1b7beaf6a876039198911b16f49e5ce0a
MD5 hash: 24e009f41922c03404c092fe80412b02
humanhash: foxtrot-zebra-two-magnesium
File name:24e009f41922c03404c092fe80412b02.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'044'523 bytes
First seen:2021-08-19 08:16:09 UTC
Last seen:2021-08-19 09:12:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ddfe9a36510b2622e3b646f642c66069 (1 x TrickBot)
ssdeep 12288:qI4lbF3jrcHyEDzZgRailghisUpqgJluuUM2aaOBYPSnuJ7K3:qBlbF3sHyEDzZrisUJROeuSnkK3
Threatray 3'590 similar samples on MalwareBazaar
TLSH T14025F52120A1E469D872DE38CA6417F222D7D7515BD00CFBC1B9762E32624E3E2B55FE
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24e009f41922c03404c092fe80412b02.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-19 08:17:32 UTC
Tags:
installer
Link:
https://app.any.run/tasks/a1b47471-8660-4aae-9a0b-1ce0851dda1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180584/
Detection(s):
SecuriteInfo.com.Trojan.Agent.FLTK.18117.15794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4ade1ef-b5df-4d4f-b55b-5949a4624002
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835615
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468043 Sample: 8e92wTHXkf.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Found malware configuration 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 4 other signatures 2->102 10 8e92wTHXkf.exe 2->10         started        13 cmd.exe 1 2->13         started        process3 signatures4 106 Writes to foreign memory regions 10->106 108 Allocates memory in foreign processes 10->108 15 wermgr.exe 4 10->15         started        20 cmd.exe 10->20         started        22 conhost.exe 13->22         started        process5 dnsIp6 74 46.99.175.149, 443, 49701, 49704 IPKO-ASAL Albania 15->74 76 182.253.210.130, 443, 49705 BIZNET-AS-APBIZNETNETWORKSID Indonesia 15->76 78 6 other IPs or domains 15->78 62 C:\Users\user\AppData\...\8e92wTHXkf.exe, PE32 15->62 dropped 80 Hijacks the control flow in another process 15->80 82 May check the online IP address of the machine 15->82 84 Writes to foreign memory regions 15->84 92 2 other signatures 15->92 24 svchost.exe 5 15->24         started        28 svchost.exe 15->28         started        31 svchost.exe 15->31         started        86 Uses net.exe to modify the status of services 20->86 88 Uses ipconfig to lookup or modify the Windows network settings 20->88 90 Performs a network lookup / discovery via net view 20->90 file7 signatures8 process9 dnsIp10 64 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 24->64 dropped 66 C:\Users\user\AppData\...\Login Data.bak, SQLite 24->66 dropped 68 C:\Users\user\AppData\Local\...\History.bak, SQLite 24->68 dropped 70 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 24->70 dropped 104 Tries to harvest and steal browser information (history, passwords, etc) 24->104 72 45.181.206.8, 443, 49734 QUALITYNETJMSASZOMACCO Colombia 28->72 33 cmd.exe 1 28->33         started        36 cmd.exe 1 28->36         started        38 cmd.exe 1 28->38         started        40 3 other processes 28->40 file11 signatures12 process13 signatures14 94 Performs a network lookup / discovery via net view 33->94 42 conhost.exe 33->42         started        44 net.exe 1 33->44         started        46 conhost.exe 36->46         started        48 net.exe 1 36->48         started        50 net.exe 1 38->50         started        52 conhost.exe 38->52         started        54 conhost.exe 40->54         started        56 conhost.exe 40->56         started        58 4 other processes 40->58 process15 process16 60 net1.exe 1 50->60         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 01:54:00 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
TrickBot
3533489809de87c678e6f04202f369e771de084c3e41d363a6879cc46f2423a7
TrickBot
447f81782c5ec0ddd591a39b3312adacfca17ea97a161646f54ae7f3de334398
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
c5529c964e7362a3ae3ffd0230d73253a491a38f70d2e88cc42abe8a246075b1
TrickBot
dd3b410927a1c9ee86cc61e70378c37f6cb9285f1da01ab0a07a182bfd4906aa
TrickBot
+ 3'580 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top117 banker trojan
Link:
https://tria.ge/reports/210819-4dk87agda2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
d36ff529a99a74b5e6bb56cd3659bfe70b58165337c840d2745d5102e3d5fec3
MD5 hash:
c2a03a5d6fd6c6989125de1e1855729f
SHA1 hash:
86cf56a1d4c420bf2b45d9a9446476b3e55496a5
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae3175d9-9cf8-44d4-b97d-f803013df76a/
SH256 hash:
0c366fbc7f5933fc56ff954e0c308d0fba0e6d0e6afafca3c1616f064ec31db8
MD5 hash:
4f8793d097eb3f9b27877b45d6784e26
SHA1 hash:
457c99309692e5f3b7c00a344ba564994f34d6e6
Link:
https://www.unpac.me/results/ae3175d9-9cf8-44d4-b97d-f803013df76a/
SH256 hash:
00507af4c81b2827c08ad0bc4a34e975140d989af8dc0290ca30b1e01def1ab1
MD5 hash:
9f6b8d77d143702958952f186ab43125
SHA1 hash:
3b8a92ea559f761bdb94a538f2e3f49e5225153f
Link:
https://www.unpac.me/results/ae3175d9-9cf8-44d4-b97d-f803013df76a/
SH256 hash:
16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff
MD5 hash:
24e009f41922c03404c092fe80412b02
SHA1 hash:
fff329c1b7beaf6a876039198911b16f49e5ce0a
Link:
https://www.unpac.me/results/ae3175d9-9cf8-44d4-b97d-f803013df76a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1540855/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180584/

Comments