MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b26296dff941f7057872a48fb9856c7533f939e75eb84bedcdbccf7e9e2ffc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	3b26296dff941f7057872a48fb9856c7533f939e75eb84bedcdbccf7e9e2ffc8
SHA3-384 hash:	71708f4e24db602ceb7e80b83ce88b81856e0b98a57191745b588e38c9005a7fd7ce7092f3f81ad6f7f76da055c94cf4
SHA1 hash:	1b6da748eac7a0a4fd4277cf6b52789ba3152015
MD5 hash:	c830ad674b4ce30bfa0eeeac2924bc7d
humanhash:	high-equal-sierra-ack
File name:	fzeggwyq.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	761'856 bytes
First seen:	2020-12-22 17:07:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b48e84a58393d3e4389c1259056da207 (1 x TrickBot)
ssdeep	12288:wyYEVM6dH6vqWEKycXljR8gD8uJQ5Hr6gcENYkMJLbX0yjJOLFYy7AV7x1/df94C:w96d6vrEKyYjwGOLZNYkYLbX0TL6V91c
Threatray	2'973 similar samples on MalwareBazaar
TLSH	3CF4CF75BBF4B861C9307938E2B3F393795A5C611AC44CA781447640ADF38ED2AB38E5
Reporter	malware_traffic
Tags:	exe mor3 TrickBot

Intelligence

File Origin

# of uploads :

1

# of downloads :

340

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

fzeggwyq.exe

Verdict:

Suspicious activity

Analysis date:

2020-12-22 17:08:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/126d6409-5bd7-450f-984c-31c009387091

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/108959/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.bc.19395.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/568661

Signature

Allocates memory in foreign processes

Detected unpacking (changes PE section rights)

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/3b26296dff941f7057872a48fb9856c7533f939e75eb84bedcdbccf7e9e2ffc8/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2020-12-22 17:08:05 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

5/5

Verdict:

suspicious

Similar samples:

295e83465c510501f5c2a7f998f0f1b83bead17be26d226c4eafa2867190027e

2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed

3cd9b8f675d4718c4d73a9b1656836790a058b8ba46c1e0f254d46775ab06556

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479

a9d54a962d46e4a2d40da284aa8b3a25a3b4e93b7c388890cd38b838a1a65433

b679711aacd061c530ee542da3c47e3757034a339d3537430df7397e2756344f

bd0645f57df34996eff1bbf2f5b1f80806b5f85a63a48ad0a1001cbf7cae3f80

dcc0540fe2bce6179ad316123fa95dbb338e74063f10197fcf5b61ddfafdafcd

f9f065cfe7edfa8c365bf45a46fd73081af15a53b9e67fb8a76f6060b142b7dd

+ 2'963 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201222-h64by82zp6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

3b26296dff941f7057872a48fb9856c7533f939e75eb84bedcdbccf7e9e2ffc8

MD5 hash:

c830ad674b4ce30bfa0eeeac2924bc7d

SHA1 hash:

1b6da748eac7a0a4fd4277cf6b52789ba3152015

Link:

https://www.unpac.me/results/62109e53-a93a-4ef4-8fad-dfc43cdaad67/

SH256 hash:

0368732ac809d420557c2e8230c16823d42c2b4e58981376c4e8f357d0a3c4f2

MD5 hash:

c21990e2be2207e2b1c3510ef0af4e81

SHA1 hash:

3e49bd778dc9708a2420dfd1cff2c325e3d0aea6

Link:

https://www.unpac.me/results/62109e53-a93a-4ef4-8fad-dfc43cdaad67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b26296dff941f7057872a48fb9856c7533f939e75eb84bedcdbccf7e9e2ffc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/108959/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample