MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865
SHA3-384 hash: 6cf2b1b4cc83dbce865a51dce1ed9ef6b7c5fe453b8ebcd3dc68dd25db12ebaf2df40c03beb7441949c6ea108c071ed1
SHA1 hash: 3cb7adbc32e5344b7039d2192bc95fbd663a05a9
MD5 hash: 09394345508176f927cc339bf9ce00e4
humanhash: october-fix-comet-minnesota
File name:09394345508176f927cc339bf9ce00e4.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:839'733 bytes
First seen:2021-08-24 06:33:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884c251bdbb51e23564add248435ff5c (10 x TrickBot)
ssdeep 12288:QFuLe4nHJm79H5Y51MKd3GydYLMcOCWvnJi7:QFF4nHJocZbnJc
Threatray 3'778 similar samples on MalwareBazaar
TLSH T1730519D0634CCA7FD6C33130F3A61633D2538B4E1AAB919BEB58F59AA86E5467413307
dhash icon 58acbcd4d2daf06c (10 x TrickBot)
Reporter abuse_ch
Tags:exe top119 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09394345508176f927cc339bf9ce00e4.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-24 06:36:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1aa7c07-50dd-4999-90df-fa2d1bd324ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181750/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16520.32423.15773.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Sending a UDP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d509074-28b9-4df4-adc0-3a3341f40ee3
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838033
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470464 Sample: 924Jq77SXv.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 7 924Jq77SXv.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 39 105.27.205.34, 443, 49743 SEACOM-ASMU Mauritius 12->39 41 ipecho.net 34.117.59.81, 49738, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->41 43 7 other IPs or domains 12->43 59 Hijacks the control flow in another process 12->59 61 May check the online IP address of the machine 12->61 63 Writes to foreign memory regions 12->63 65 2 other signatures 12->65 20 svchost.exe 11 12->20         started        25 svchost.exe 12->25         started        27 svchost.exe 12->27         started        signatures7 process8 dnsIp9 37 201.174.52.20, 443, 49746 TRANSTELCO-INCUS Mexico 20->37 29 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->29 dropped 31 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->31 dropped 33 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->33 dropped 35 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->35 dropped 53 Tries to harvest and steal browser information (history, passwords, etc) 20->53 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 06:34:12 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhh5oan5i3qjuvervnj64uqfzqdk2lenl77m4twyjbj774a2hbsq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0dd6adc7f40fac5c8268853f41a248996fc4554f227bf6486e5261e506b0c876
TrickBot
16f5c54bb382796b4e1bac32286ca9d8fd795564e689f8c69fc3c4de036359ff
TrickBot
3533489809de87c678e6f04202f369e771de084c3e41d363a6879cc46f2423a7
TrickBot
39adc7e2ea2a22034a153bb7d5eaba75ac81a26ddb0407bab5108242d1878c44
TrickBot
447f81782c5ec0ddd591a39b3312adacfca17ea97a161646f54ae7f3de334398
TrickBot
c5529c964e7362a3ae3ffd0230d73253a491a38f70d2e88cc42abe8a246075b1
TrickBot
dd3b410927a1c9ee86cc61e70378c37f6cb9285f1da01ab0a07a182bfd4906aa
TrickBot
+ 3'768 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top119 banker trojan
Link:
https://tria.ge/reports/210824-n1zrex75ms/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
cf3b51977f1b76d971c7875fe145eb6d873189d42e391b53b6b6d82dc22bb42e
MD5 hash:
4a57827a79c1cf41d6f92bde2d621002
SHA1 hash:
654789207757f4d42b00ae838e16042971f22483
Link:
https://www.unpac.me/results/bfb41cee-9308-4a6c-820d-b72bab01f60b/
SH256 hash:
f2b84c0ed289d42a89d878b41590eba8551dada6cea0fb5ea11abf0f2ff112dc
MD5 hash:
ca115364765cbc5ac1e08534905b181b
SHA1 hash:
4087e4bba2467bd6ddf7f624e00c6fb7d32320a3
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfb41cee-9308-4a6c-820d-b72bab01f60b/
Parent samples :
0dd6adc7f40fac5c8268853f41a248996fc4554f227bf6486e5261e506b0c876
39adc7e2ea2a22034a153bb7d5eaba75ac81a26ddb0407bab5108242d1878c44
39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865
29f9c88b451d133d42ecba93ec60768600748d9bf12611182f070539cc61b578
989bca6b266c0ca7ad46e518146e61cb4e12ae3ee606f99d2b2f75221f09f096
2634add718388ef78f53bb550b64fc29266df01ea09c96823f0e47bc85260e40
cfb7a576d253edc8cf78138e7b940b634e45fb73a8f863f4c2f34ff907fd4d03
853fc3d10d574ec5e10595bf8ec5418e0899fc065d59ebe417ba6a95a27211e1
3a311fa2632d70ba58f402a83270f3111ebd0074fe45ecfad273ebb8aecdd328
SH256 hash:
7eb0610df30d79ed2adb23f89281fba52eabc0b9d9fe22ac7b35c54b21477dbb
MD5 hash:
a8f532ea2542305f87c739509fd22685
SHA1 hash:
fb3dd503e487e1ccc9fa81cbca8a4ad07fbecf3e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfb41cee-9308-4a6c-820d-b72bab01f60b/
SH256 hash:
39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865
MD5 hash:
09394345508176f927cc339bf9ce00e4
SHA1 hash:
3cb7adbc32e5344b7039d2192bc95fbd663a05a9
Link:
https://www.unpac.me/results/bfb41cee-9308-4a6c-820d-b72bab01f60b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/39cfd701bd46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 39cfd701bd46e09a5491ab53ee5205cc06ad2c8d5ffece4ed84853fff01a3865

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1540855/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181750/

Comments