MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b7e4e5758699f924f50615e8fe48e13bf428d7aa1fcbfb2ed4f64a0fd6a8f93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrochilusRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b7e4e5758699f924f50615e8fe48e13bf428d7aa1fcbfb2ed4f64a0fd6a8f93
SHA3-384 hash: b0d98b520e856c3cfdbd772b06e8bc15be67275801536f04509adca6f8aa3ea69101666e0ebf79d2a7c6006dd474ddc3
SHA1 hash: 8d01203d8279404db353a97be2acee79cc9be1cb
MD5 hash: 1634d4a7ffdd698f6ccb541719fbff5c
humanhash: kentucky-summer-harry-victor
File name:2b7e4e5758699f924f50615e8fe48e13bf428d7aa1fcbfb2ed4f64a0fd6a8f93.exe
Download: download sample
Signature TrochilusRAT
Create hunting rule
File size:2'066'944 bytes
First seen:2022-03-03 08:32:31 UTC
Last seen:2022-07-24 09:14:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a01522d1e6a438332d5131e139326c71 (1 x TrochilusRAT)
ssdeep 49152:1yhZ+bW+qp2UWp9YkieqYftleW4lojGCpMIPJtuqLZHGNloUHKv5ksTAvEypm/jM:16+bW+o7WgkieqYbeW4+jGCpMIP1Gfos
Threatray 18 similar samples on MalwareBazaar
TLSH T1CCA5AF217790907BC57E3632574AA3B9B2F9E9309E35024766A01E7D3E348D2993C27F
File icon (PE):PE icon
dhash icon 787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter obfusor
Tags:exe Plugx TrochilusRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1634d4a7ffdd698f6ccb541719fbff5c.exe.vir
Verdict:
Malicious activity
Analysis date:
2022-03-03 08:47:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee16cb46-b35a-40c0-a852-9ee937f4b34e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrochilusRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246765/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8107/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckScreenResolution
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLeaves
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/619f50dc-b5ef-4e61-a3c2-aa9557373339
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/949856
Signature
Found API chain indicative of debugger detection
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b7e4e5758699f924f50615e8fe48e13bf428d7aa1fcbfb2ed4f64a0fd6a8f93/
Threat name:
Win32.Backdoor.Trochilus
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 08:33:12 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1bfa8af4b51d9fc54d4baa49df27116f44ce269da9123625c1f2ba17289ea2cd
TrochilusRAT
2ba260d53db88ea6ae79af42f97eaa2e22c5fcb0f3e788057ef6e5dc40cd3060
TrochilusRAT
2cd18c340d412d1c09215c828190621ce558d8ea43ba0ad28e3365ff0619fe8b
TrochilusRAT
3f254c62ad02f051ac2112f3aa92cb537f95d7de0d3c80ba5c42dc3a8a79090e
TrochilusRAT
5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5
TrochilusRAT
83c31903a72e894c0c0a74bc456a9ce007991bf682f1d072905865207adc8fbf
TrochilusRAT
9f8cd68021a1987bcb5115056f67fbdc12d24718e51c9103c696702512d78725
TrochilusRAT
aeed6f465b742621bf145219db4ca122f2d9986cfc716b03e99afbcbe336a942
TrochilusRAT
e68eaf634e7dbf615e60d315a40f6bf225c06ce933a4ae193ef8b63620640447
TrochilusRAT
ef7127461d0a024cbdb38b1b958a40311cfc95573f77a739a89f9240e64fa522
TrochilusRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-kfwetaaac7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
7b2c8b24ef648979c4e697c5f7203db1e60a67497946d8d45a0f059a8b2a1aa3
MD5 hash:
f3878cbf1d059c6527cd17753043525b
SHA1 hash:
51934edb02ac75d7ccb5a036f22054b692bd55d2
Detections:
win_trochilus_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b4d687d-f61f-47b1-a9f3-e14c25935c2a/
SH256 hash:
f6e97d6ad59103c22a55397a8e63d5736be105f2e3e6428fdde78fcedfcd2863
MD5 hash:
45d52f25e82dd9812fc2954c21e3222d
SHA1 hash:
125485a2ea6f482192117deb0827ccb0a1cd037e
Detections:
win_trochilus_rat_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b4d687d-f61f-47b1-a9f3-e14c25935c2a/
SH256 hash:
2b7e4e5758699f924f50615e8fe48e13bf428d7aa1fcbfb2ed4f64a0fd6a8f93
MD5 hash:
1634d4a7ffdd698f6ccb541719fbff5c
SHA1 hash:
8d01203d8279404db353a97be2acee79cc9be1cb
Link:
https://www.unpac.me/results/0b4d687d-f61f-47b1-a9f3-e14c25935c2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b7e4e5758699f924f50615e8fe48e13bf428d7aa1fcbfb2ed4f64a0fd6a8f93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/0xrb/status/1499287458500194304
Cape
Cape
https://www.capesandbox.com/analysis/246765/

Comments