MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652
SHA3-384 hash: 06b113b05a943227e20185379ac54bd35e300c52cef45300b3a7aa1b81058fa6f129f5f8244a7a9d7d430b63d076f7da
SHA1 hash: e0830b751fef3a9b39400c5009227b25590fbd82
MD5 hash: c92c0628d07cba0d47790358ef3f563f
humanhash: chicken-hot-gee-crazy
File name:c92c0628d07cba0d47790358ef3f563f.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:590'848 bytes
First seen:2021-09-30 17:31:34 UTC
Last seen:2021-09-30 19:11:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4052499054ea62aacc9b71303ced775c (12 x TrickBot)
ssdeep 12288:Y7Uf8oOcZoqp4VKC/b1dqvDTUZ4YAGbThGk:Y7UflLs/b1dqvDTUaYAGbTwk
Threatray 3'923 similar samples on MalwareBazaar
TLSH T15AC4BE1177D0D031E2A335718B6AD3746AAEBD618F35834B2BD03B3D1E34691AD3872A
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe lib156 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c92c0628d07cba0d47790358ef3f563f.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-30 17:35:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/531b63c3-e042-4f72-b99a-44abe67df0f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193766/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Emotet.hc.16505.22473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Enabling autorun with the shell\open\command registry branches
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4117d9b-7e91-4dec-a6cb-36eb6d6fbc9d
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862152
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for sample
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494577 Sample: LyBC9YGy05.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 38 18.222.32.185.zen.spamhaus.org 2->38 40 18.222.32.185.spam.dnsbl.sorbs.net 2->40 42 3 other IPs or domains 2->42 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Yara detected Trickbot 2->60 62 3 other signatures 2->62 8 LyBC9YGy05.exe 7 2->8         started        11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 13 wermgr.exe 8->13         started        17 cmd.exe 8->17         started        19 conhost.exe 11->19         started        process6 dnsIp7 50 179.42.137.102, 443, 49768, 49769 TelefonicadeArgentinaAR unknown 13->50 52 179.42.137.104, 443, 49754, 49755 TelefonicadeArgentinaAR unknown 13->52 54 5 other IPs or domains 13->54 70 Hijacks the control flow in another process 13->70 72 Writes to foreign memory regions 13->72 74 Tries to detect virtualization through RDTSC time measurements 13->74 76 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 13->76 21 svchost.exe 11 13->21         started        26 svchost.exe 13->26         started        28 svchost.exe 13->28         started        signatures8 process9 dnsIp10 44 109.87.143.67, 443, 49900, 49911 TRIOLANUA Ukraine 21->44 46 178.151.205.154, 443, 49894, 49905 TRIOLANUA Ukraine 21->46 48 9 other IPs or domains 21->48 30 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 21->30 dropped 32 C:\Users\user\AppData\...\Login Data.bak, SQLite 21->32 dropped 34 C:\Users\user\AppData\Local\...\History.bak, SQLite 21->34 dropped 36 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 21->36 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 21->64 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 17:32:09 UTC
AV detection:
5 of 45 (11.11%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
06933c7b3bddbb3d920172216f4886e811397ef933665ff700b3539774e000d4
TrickBot
341186306bd4d9d32fa8e6cebaa58aba3756c9bfdc4d5bef3dd42acae7789fe8
TrickBot
5f98da253ec5d1ffbbe07b9ee727a8d8162911b70d59d905f2a2f52579f524d2
TrickBot
6b62e970d1c770e694aaccad7d7b874895731ed5c7c6029be9f6badc3b533332
TrickBot
8ab49e939399e4dd51e665e119b4d76c12cae36b3c72bb8aedf9c2ef73903a78
TrickBot
9a5d5f4144492833b2f5368bf39154e0a5d60914afccbfde1db93cf0cd9db000
TrickBot
+ 3'913 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib156 banker trojan
Link:
https://tria.ge/reports/210930-v4as5aacc5/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
3c4a59dc2191fd4b9f7b026ee7744f7667f7a4405079a09baf8b4137c3ef34b0
MD5 hash:
dd4dea25238dbf30d44801de10132198
SHA1 hash:
ed7522008c38fc63ce0b6d50627fa1bdbb8b6415
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf2d2dcb-5e07-458f-ab6a-df097c49d219/
Parent samples :
5f98da253ec5d1ffbbe07b9ee727a8d8162911b70d59d905f2a2f52579f524d2
3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652
473dfbecc3818114569a9a9f80b0a51ad74b3d88fa778158ab145e839ecb042c
c9a17531e2ae6361f893390f51295609f4a2fde60927a9afeac9a9e0c4fc2660
SH256 hash:
2618e7b4e079eb55ae346817362615216aa40c2664126989b4e0c9466548a5fd
MD5 hash:
5ed6148f3b875a0550a6e6219e6b5513
SHA1 hash:
76ef2208a789bca7ec772976634b192757b404cc
Link:
https://www.unpac.me/results/bf2d2dcb-5e07-458f-ab6a-df097c49d219/
SH256 hash:
128896d5ea7bc288f2d8e13926710c0f3f7b71c845dcbe92c2f5b8d4328dc1a1
MD5 hash:
75fc3c1b5ba1656874f5534ce9fbc59a
SHA1 hash:
53f7a42ec2e3ad7260a9dd05efb7056237c92cc6
Link:
https://www.unpac.me/results/bf2d2dcb-5e07-458f-ab6a-df097c49d219/
SH256 hash:
3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652
MD5 hash:
c92c0628d07cba0d47790358ef3f563f
SHA1 hash:
e0830b751fef3a9b39400c5009227b25590fbd82
Link:
https://www.unpac.me/results/bf2d2dcb-5e07-458f-ab6a-df097c49d219/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3816e3845184/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1641957/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193766/

Comments