MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments 1

SHA256 hash:	241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
SHA3-384 hash:	9bd0bc3de5ad917aaeb6bba17421e448ece7f678d7da0981ef85afc192819308934c7f37141b7f525eaf0aeb3c8d9968
SHA1 hash:	a1782a3323d625684555af7c4144e2422107dafb
MD5 hash:	0de5c20eff6c993ab8ee0dd9d2d6f9f1
humanhash:	queen-carolina-sixteen-winner
File name:	0de5c20e_by_Libranalysis
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	659'456 bytes
First seen:	2021-05-05 15:02:09 UTC
Last seen:	2021-05-05 16:00:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	82d7aabbacaf14bba1c321d3fe1f95b2 (5 x TrickBot)
ssdeep	12288:3Y8Id8iWYsKTt3o4iek/WGtMqZtEfl4GnFfTWokO:i8i9n9pd9sMqTaRn1bk
Threatray	725 similar samples on MalwareBazaar
TLSH	C3E4E002FBE0903BD6B285310FE77B3A57F9A9905B755EC763909B0D48321C16E3636A
Reporter	Libranalysis
Tags:	TrickBot

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/150718/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.16468.26986.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eqmzdpxvzz56jkllbfgrbh3jiekcjbyauqfoknoviqfsilug5aea._file

Verdict:

malicious

Label(s):

trickbot

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:tot94 banker trojan

Link:

https://tria.ge/reports/210505-5eya3wx44j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443

Unpacked files

SH256 hash:

6b1d0f4bb6f0ba7eb9dc41488e90a581204336435fd1739eb0a263bec815d9d3

MD5 hash:

a56e4957b4ae433cf7536946e63170ce

SHA1 hash:

fef9c6264ada77aeaf94f63c1842343eb15aab03

Link:

https://www.unpac.me/results/63736a4f-26f5-4f45-a381-c727810d0a8f/

Parent samples :

c89a67fb02f93f2c35d2a2333b283acff44bce36880df33fe6c7fb3917c8bd47
f5e103d4ae71ed138bc80e4a7a909c26ad6be88238269643141d3f5043e4ff13
0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2
89591fbf63f1c182f87402dc5a6ad27b79c158129ab5ac75cc1139a2396b528e

SH256 hash:

5006d5873f53567841d8c7aa6ad51999f54335522618c6cc63adb0f75478ed8f

MD5 hash:

6f978b46fa77d06c16d5049879436682

SHA1 hash:

f7e3179e945e4a39bdb1e7901592b839feb331ea

Link:

https://www.unpac.me/results/63736a4f-26f5-4f45-a381-c727810d0a8f/

SH256 hash:

1accf1e0708786b915471c73efbb157b9e8582413b81937cc6c4e8bde3ecf4a1

MD5 hash:

78ef0389d8f017f5787378d2bcfe4d2c

SHA1 hash:

f5656c318f40d8e26af92fa996bfd15055b69112

Link:

https://www.unpac.me/results/63736a4f-26f5-4f45-a381-c727810d0a8f/

SH256 hash:

241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808

MD5 hash:

0de5c20eff6c993ab8ee0dd9d2d6f9f1

SHA1 hash:

a1782a3323d625684555af7c4144e2422107dafb

Link:

https://www.unpac.me/results/63736a4f-26f5-4f45-a381-c727810d0a8f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150718/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 16:11:19 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.012] Anti-Behavioral Analysis::Human User Check
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [B0012.001] Anti-Static Analysis::Argument Obfuscation
3) [F0002.001] Collection::Application Hook
4) [F0002.002] Collection::Polling
5) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
6) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
7) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
8) [C0026.002] Data Micro-objective::XOR::Encode Data
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [E1510] Impact::Clipboard Modification
15) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
18) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
19) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0040] Process Micro-objective::Allocate Thread Local Storage
23) [C0017] Process Micro-objective::Create Process
24) [C0038] Process Micro-objective::Create Thread
25) [C0054] Process Micro-objective::Resume Thread
26) [C0041] Process Micro-objective::Set Thread Local Storage Value
27) [C0055] Process Micro-objective::Suspend Thread
28) [C0018] Process Micro-objective::Terminate Process