MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3008d3a85d42533167443e236755a01ae25d008728dbcd9630d99a42db30fbae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3008d3a85d42533167443e236755a01ae25d008728dbcd9630d99a42db30fbae
SHA3-384 hash: e3ee54ffffde083f130cdeb8b13aa30c971bc7e9087d7fc52ee67b7a63c6831a93d335ac11a370c1e0fcd05a6e4a465f
SHA1 hash: 7e052df6af9a2018758d13c87838459f1477ea71
MD5 hash: 6673e1c0b274ae2082be7fb4b7d83140
humanhash: emma-queen-mockingbird-mobile
File name:490osndo411.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:270'368 bytes
First seen:2020-04-29 08:21:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b9fa1ff20ba83f54b317241ba5b1513 (157 x TrickBot)
ssdeep 6144:XllmzPYXUMm0hj++Mz+wFGac08SAfl+MA5ykH:KrYnm+wFgHelH
Threatray 4'821 similar samples on MalwareBazaar
TLSH 4D44E0427AE49812C9A40A304D5797756BB3BC346922C75BBF907F1EBCB86C1DD2433A
Reporter abuse_ch
Tags:exe TrickBot


Avatar
abuse_ch
XLS malspam sent from @Orange mailserver distributing TrickBot:

HELO: smtp.smtpout.orange.fr
Sending IP: 80.12.242.131
From: George King <ludovic.philippe214@orange.fr>
Subject: Case 51039
Attachment: GV_6293.xls

TrickBot payload URL:
https://chinatyres.net/IuNbOpen/oiUnbYATR.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Trick.46562.26785.9567.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 08:35:26 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gaenhkc5ijjtcz2ehyrwovnadlrf2aehfdn43frq3gnefwzq7oxa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
11476f6fe15ff4790da8b0642a8ae5f204b496d896bdba67d125730b6bbde39d
TrickBot
26bdfa534ef10a0d74b5594bf044772e78e7a26acdbf2cb0dd54f7d949667511
TrickBot
337e027cb6ce943c549e480f1db3aaecdc3cae2ee4809e81fce4a5eada904c3f
TrickBot
52223ec90dbd12dfaef3d91adfda51bf16ebcefcf3fef248d00e5cc42d55356a
TrickBot
62393dd1e58dc000821490355bfd01c42d509806ab519261c184d24438e491ee
TrickBot
859476925b3c6977428dad5437710ef1efc95fd9c4ee229db203f1a9487c4272
TrickBot
991b31a6e618247e4edc7602bbfc2604b7b80e45396bff07cbe90911e9f7f019
TrickBot
a27e9c318ece4e2c9909dbbbd4a9d0a46082fecbce9d12c96a10e651a9dda499
TrickBot
cd093b974b530d7ef2704d62a63761a34ea0a20f6a1398e00d73b805547f2ba5
TrickBot
f539cd73e04bef842b8fa1d820a172e4073eda8bb26b7ac2e546b4a2644a0474
TrickBot
+ 4'811 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xls d9696165b5681b4a7a31c7c78c089be3defd9045795df889ed7922cd6502c19c

TrickBot

Executable exe 3008d3a85d42533167443e236755a01ae25d008728dbcd9630d99a42db30fbae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/353600/
  
Dropped by
MD5 a4d02613220ef3757c98ffccd469bf44
  
Dropped by
SHA256 d9696165b5681b4a7a31c7c78c089be3defd9045795df889ed7922cd6502c19c
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::FindFirstFileA
VERSION.dll::GetFileVersionInfoSizeA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments