MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2
SHA3-384 hash: c3e3e5edfb5c2c57a32f40c753912d229c7e899997eac03b27e74a670ac5b4cec5491d0ba59818e5acde3d31b6e4067b
SHA1 hash: 9ec2ce0230ed771c86a75f3bbd375e79c1ce2455
MD5 hash: f0588e538f9353ff1bd1034f75137fd1
humanhash: cola-failed-river-yellow
File name:f0588e538f9353ff1bd1034f75137fd1.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:349'696 bytes
First seen:2021-08-12 17:47:04 UTC
Last seen:2021-08-12 19:00:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 14a81b46e8257bea317d97931d356cc8 (2 x TrickBot)
ssdeep 6144:ZKFg9QEvAr0KKmFfZ/DBk4aWTl1Qlrtw8919yOJ1Nx:Zs6dYr0KKcZ/DBbpClRIAb
Threatray 946 similar samples on MalwareBazaar
TLSH T14B74023631A4A075C49A0637442AC366CAAEBD56F071454B6FE03DED7FB22D00F3A369
dhash icon 10604cc4a8daec04 (2 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f0588e538f9353ff1bd1034f75137fd1.exe
Verdict:
Malicious activity
Analysis date:
2021-08-12 17:53:10 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/34ab0ea0-c396-475d-a388-39b747736fe0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178788/
Detection(s):
SecuriteInfo.com.Heur.PIF.6.29684.12626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Connection attempt
Sending a custom TCP request
DNS request
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85104142-c318-4124-8668-13abcb039675
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831997
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464428 Sample: 9sa8UMgcBA.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Trickbot 2->46 48 3 other signatures 2->48 7 9sa8UMgcBA.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 52 Writes to foreign memory regions 7->52 54 Allocates memory in foreign processes 7->54 56 Tries to detect virtualization through RDTSC time measurements 7->56 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 36 60.51.47.65, 443, 49722, 49730 TMNET-AS-APTMNetInternetServiceProviderMY Malaysia 12->36 38 wtfismyip.com 95.217.228.176, 49726, 80 HETZNER-ASDE Germany 12->38 40 6 other IPs or domains 12->40 58 Hijacks the control flow in another process 12->58 60 May check the online IP address of the machine 12->60 62 Writes to foreign memory regions 12->62 64 2 other signatures 12->64 20 svchost.exe 5 12->20         started        24 svchost.exe 12->24         started        26 svchost.exe 12->26         started        signatures7 process8 file9 28 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->28 dropped 30 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->30 dropped 32 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->32 dropped 34 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->34 dropped 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 signatures10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 17:47:08 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
104b914e642490aa18ec1b1eeeea70e288e7c6bbce699f37ac3ac8a2603a8341
TrickBot
149092132cc1f8835218eeabb3e2df8affc26ec400827e237478fd5431aaf079
TrickBot
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
TrickBot
2e0cc33c355bd9d3bd9ff8df2f48000396e39a49b4a04253f767058a7dc6be6d
TrickBot
367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb
TrickBot
89ca80bfb1e0cc9eaee8334a130f79824b8f450482ad71797657f4df145042e0
TrickBot
a57207ec582b45d43728d1cee51da3cf96449d4697b08a090d36a62e9bbd9278
TrickBot
d33ee39ed2df3846e899bcfb8b0d9a4662ad70472b0f13c7662c7e48fe677aca
TrickBot
+ 936 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top113 banker trojan
Link:
https://tria.ge/reports/210812-gfjk1esgce/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
77f75bd3c4fdf03e95caf5718cd8185b1d18631a973852f82bf4e4cb86371578
MD5 hash:
f6b06325024cda52377b05460e5fc730
SHA1 hash:
7a2d34d42bbeb1b1dfa9365566f027c3b4d47b10
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d9f84ead-38d9-4e19-85b2-06c700f7c3a9/
Parent samples :
1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2
2181358d62d130161a6a06e4b3a9081a2da06a363f6918a5b1345c36775bb315
SH256 hash:
1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2
MD5 hash:
f0588e538f9353ff1bd1034f75137fd1
SHA1 hash:
9ec2ce0230ed771c86a75f3bbd375e79c1ce2455
Link:
https://www.unpac.me/results/d9f84ead-38d9-4e19-85b2-06c700f7c3a9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1733d9d0d320/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1522101/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178788/

Comments