MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
SHA3-384 hash: 74d5c76b50d14922534c0ffcd1e05f3ec97ff4393c561b1579eee34ade054a59b56009ffc737a65e4e24bd5a11b72951
SHA1 hash: 94629d7dff20b75636588e3964b4e7e4882ac4d6
MD5 hash: 52d87c733b3cf7e6e653d6141b2222bb
humanhash: beryllium-mike-november-oregon
File name:SecuriteInfo.com.Trojan.Packed.140.16756.13527
Download: download sample
Signature TrickBot
Create hunting rule
File size:434'304 bytes
First seen:2021-01-06 05:36:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb6fb94e4b762fed1b02b86bf34a8b0b (7 x TrickBot)
ssdeep 6144:XWr/Zk+YqAipOQkh+y5NT+rtdLkA42HHiptpz4nrIBIdP1FD+k0lXIFjIiNj4unV:XWrxk+3OQPPlky63kQu0mfAok/OH
Threatray 88 similar samples on MalwareBazaar
TLSH 9D94122242C6BA19ECE74CF8B79F8BEA20445B759B7819877E617D2C91F1081E414B3F
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Packed.140.16756.13527
Verdict:
Suspicious activity
Analysis date:
2021-01-06 05:39:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b6dcd09c-e75d-4f6d-b795-4e93133d62ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110647/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.16756.13527.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574778
Signature
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Performs a network lookup / discovery via net view
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336447 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Found malware configuration 2->88 90 Yara detected Trickbot 2->90 92 5 other signatures 2->92 10 SecuriteInfo.com.Trojan.Packed.140.16756.exe 4 2->10         started        14 SecuriteInfo.exe 1 2->14         started        process3 file4 60 C:\Users\user\AppData\...\SecuriteInfo.exe, PE32 10->60 dropped 62 C:\Users\...\SecuriteInfo.exe:Zone.Identifier, ASCII 10->62 dropped 102 Detected unpacking (changes PE section rights) 10->102 16 SecuriteInfo.exe 1 10->16         started        19 conhost.exe 10->19         started        104 Writes to foreign memory regions 14->104 106 Allocates memory in foreign processes 14->106 21 conhost.exe 14->21         started        23 wermgr.exe 14->23         started        signatures5 process6 signatures7 78 Detected unpacking (changes PE section rights) 16->78 80 Machine Learning detection for dropped file 16->80 82 Writes to foreign memory regions 16->82 84 Allocates memory in foreign processes 16->84 25 wermgr.exe 1 16->25         started        process8 dnsIp9 70 45.89.125.214, 443, 49724, 49731 CCTLD-ITViaMoruzzi1IT Germany 25->70 72 ipinfo.io 216.239.36.21, 49727, 80 GOOGLEUS United States 25->72 74 4 other IPs or domains 25->74 94 Hijacks the control flow in another process 25->94 96 Writes to foreign memory regions 25->96 98 Tries to detect virtualization through RDTSC time measurements 25->98 100 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->100 29 cmd.exe 11 25->29         started        34 cmd.exe 1 25->34         started        signatures10 process11 dnsIp12 76 186.47.209.222, 443, 49737, 49745 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 29->76 64 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 29->64 dropped 66 C:\Users\user\AppData\...\Login Data.bak, SQLite 29->66 dropped 68 C:\Users\user\AppData\Local\...\History.bak, SQLite 29->68 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 29->108 36 conhost.exe 29->36         started        110 Performs a network lookup / discovery via net view 34->110 38 net.exe 1 34->38         started        40 ipconfig.exe 1 34->40         started        42 net.exe 1 34->42         started        44 4 other processes 34->44 file13 signatures14 process15 process16 46 conhost.exe 38->46         started        48 net1.exe 1 38->48         started        50 conhost.exe 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 44->56         started        58 conhost.exe 44->58         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27/
Threat name:
Win32.Trojan.Deapax
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 05:37:05 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf
TrickBot
389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b
TrickBot
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
TrickBot
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
TrickBot
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
TrickBot
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
TrickBot
b6317c86864cc8dc3ff1364a536919dd3cf8fa6f16ee21df6fb81fa5220a3399
TrickBot
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
TrickBot
+ 78 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib5 banker trojan
Link:
https://tria.ge/reports/210106-l8j615cr8s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
MD5 hash:
52d87c733b3cf7e6e653d6141b2222bb
SHA1 hash:
94629d7dff20b75636588e3964b4e7e4882ac4d6
Link:
https://www.unpac.me/results/fe6dd97f-748a-4b26-8e77-876acaa0f0a7/
SH256 hash:
6bc68d59684793707033848293ab5b2d99d273ea1b1d5f0a882adc3a4e509a33
MD5 hash:
940fe71b699dc60c0ac5be0dc764d89d
SHA1 hash:
fed1b470d9e1a588cd7e0333c60ea0036a78077e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe6dd97f-748a-4b26-8e77-876acaa0f0a7/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
SH256 hash:
cbf677f1684c3fadc16307e56d6dcf8ea3af21f63e3f511f5ceeffc48b3c82cd
MD5 hash:
6212184b9f5a28363de451cdcd664e09
SHA1 hash:
c014037b0e9634644d995d0a11a7f1b41639327a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe6dd97f-748a-4b26-8e77-876acaa0f0a7/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110647/

Comments