MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
SHA3-384 hash: 597cc3d0bc8faa026bd9e08208ea3294bb0819d7d540d822f54fa08c64f272b2f2cf8b07a83e3c50bd6b8056de62c249
SHA1 hash: f302942049189a72893bd88d6054f599aaccc164
MD5 hash: ec00bdbe605b0e4909795bf55230c24f
humanhash: mockingbird-california-crazy-echo
File name:ec00bdbe605b0e4909795bf55230c24f.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:434'304 bytes
First seen:2021-01-06 07:54:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb6fb94e4b762fed1b02b86bf34a8b0b (7 x TrickBot)
ssdeep 6144:XWr/Zk+YqAipOQkh+y5NT+rtdLkA42HHiptpz4nrIBIdP1FD+k0lXIFjIiNj4unx:XWrxk+3OQPPlky63kQu0mfAok/Or
Threatray 92 similar samples on MalwareBazaar
TLSH A294122246C6BA19ECE74CF8B79F8BEA20045B759B7819877E617D2C91F1081E414B3F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ec00bdbe605b0e4909795bf55230c24f.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-06 07:59:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed56cd41-65d3-4a0d-91ff-f9a7ea834bb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110703/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.11016.16598.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574904
Signature
Allocates memory in foreign processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336513 Sample: 6SRdYNN63E.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Found malware configuration 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 3 other signatures 2->76 10 6SRdYNN63E.exe 4 2->10         started        14 6SRdYNN63E.exe 1 2->14         started        process3 file4 44 C:\Users\user\AppData\...\6SRdYNN63E.exe, PE32 10->44 dropped 46 C:\Users\...\6SRdYNN63E.exe:Zone.Identifier, ASCII 10->46 dropped 86 Detected unpacking (changes PE section rights) 10->86 16 6SRdYNN63E.exe 1 10->16         started        19 conhost.exe 10->19         started        88 Writes to foreign memory regions 14->88 90 Allocates memory in foreign processes 14->90 21 conhost.exe 14->21         started        23 wermgr.exe 14->23         started        signatures5 process6 signatures7 62 Multi AV Scanner detection for dropped file 16->62 64 Detected unpacking (changes PE section rights) 16->64 66 Machine Learning detection for dropped file 16->66 68 3 other signatures 16->68 25 wermgr.exe 1 16->25         started        process8 dnsIp9 54 149.54.11.54, 449, 49744, 49747 GCN-DCN-ASAFGHANTELECOMGOVERNMENTCOMMUNICATIONNETWORKA Afghanistan 25->54 56 36.94.167.167, 447, 49748, 49755 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 25->56 58 6 other IPs or domains 25->58 78 Hijacks the control flow in another process 25->78 80 Writes to foreign memory regions 25->80 82 Tries to detect virtualization through RDTSC time measurements 25->82 84 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->84 29 cmd.exe 11 25->29         started        34 cmd.exe 1 25->34         started        signatures10 process11 dnsIp12 60 186.47.209.222, 443, 49756, 49761 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 29->60 48 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 29->48 dropped 50 C:\Users\user\AppData\...\Login Data.bak, SQLite 29->50 dropped 52 C:\Users\user\AppData\Local\...\History.bak, SQLite 29->52 dropped 92 Tries to harvest and steal browser information (history, passwords, etc) 29->92 36 conhost.exe 29->36         started        38 ipconfig.exe 1 34->38         started        40 conhost.exe 34->40         started        file13 signatures14 process15 process16 42 conhost.exe 38->42         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052/
Threat name:
Win32.Trojan.Deapax
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 07:55:10 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c375k3xz2swuehtohe6tvyyrulu4rr3ilcni53z2qlvwq7e4wbja._file
Verdict:
suspicious
Similar samples:
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
TrickBot
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
TrickBot
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
TrickBot
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
TrickBot
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
TrickBot
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
TrickBot
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
TrickBot
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
TrickBot
+ 82 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib5 banker trojan
Link:
https://tria.ge/reports/210106-lg75x9n6ne/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
MD5 hash:
ec00bdbe605b0e4909795bf55230c24f
SHA1 hash:
f302942049189a72893bd88d6054f599aaccc164
Link:
https://www.unpac.me/results/78a9c39d-7517-4680-9b1b-cce5180d75d4/
SH256 hash:
6bc68d59684793707033848293ab5b2d99d273ea1b1d5f0a882adc3a4e509a33
MD5 hash:
940fe71b699dc60c0ac5be0dc764d89d
SHA1 hash:
fed1b470d9e1a588cd7e0333c60ea0036a78077e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/78a9c39d-7517-4680-9b1b-cce5180d75d4/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
SH256 hash:
cbf677f1684c3fadc16307e56d6dcf8ea3af21f63e3f511f5ceeffc48b3c82cd
MD5 hash:
6212184b9f5a28363de451cdcd664e09
SHA1 hash:
c014037b0e9634644d995d0a11a7f1b41639327a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/78a9c39d-7517-4680-9b1b-cce5180d75d4/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110703/

Comments