MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e
SHA3-384 hash: b1b00210819867823ad29c44554ee81df594632e4f5a78f70cefc1a75da8a4232f319154e3209ac111b28060a8f57d7e
SHA1 hash: 0f80d76eb098945ca596e811a24978dc4298a19c
MD5 hash: 893f97d878cbd7574ad706c96aee01b3
humanhash: mike-lake-cardinal-oxygen
File name:893f97d878cbd7574ad706c96aee01b3
Download: download sample
Signature TrickBot
Create hunting rule
File size:446'464 bytes
First seen:2021-10-01 14:40:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 220580f49c2724e661575b7bf3bd58ea (13 x TrickBot)
ssdeep 12288:g0lJ4jPdi1pYE4yl/Pj0nY3nwWOQQ7akiEl0m1BSt:YjViPYEFlj0nAeQM9iaDU
Threatray 3'967 similar samples on MalwareBazaar
TLSH T10D94E02236F0C9B7D1A745300EE59B7DBABAFA104F319A0F67944F1F2D35A914922372
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
893f97d878cbd7574ad706c96aee01b3
Verdict:
Malicious activity
Analysis date:
2021-10-01 17:48:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8d0cb01-4ef0-4654-8611-148553bb6975

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194019/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.11251.31930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8eb10cb5-e776-4d03-a5da-9b6ea9dc0c33
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862767
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495195 Sample: 63wU4W0qew Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 7 63wU4W0qew.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 43 179.42.137.107, 443, 49766, 49767 TelefonicadeArgentinaAR unknown 12->43 45 186.4.193.75, 443, 49778, 49779 TelconetSAEC Ecuador 12->45 47 7 other IPs or domains 12->47 63 Hijacks the control flow in another process 12->63 65 May check the online IP address of the machine 12->65 67 Writes to foreign memory regions 12->67 69 2 other signatures 12->69 20 svchost.exe 11 12->20         started        25 svchost.exe 12->25         started        27 svchost.exe 12->27         started        signatures7 process8 dnsIp9 37 109.87.143.67, 443, 49840, 49851 TRIOLANUA Ukraine 20->37 39 178.151.205.154, 443, 49834, 49845 TRIOLANUA Ukraine 20->39 41 9 other IPs or domains 20->41 29 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->29 dropped 31 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->31 dropped 33 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->33 dropped 35 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->35 dropped 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 14:41:14 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652
TrickBot
473dfbecc3818114569a9a9f80b0a51ad74b3d88fa778158ab145e839ecb042c
TrickBot
49e61873c2864b4a39bfb6c520ea9644d1b38088cd11a6d0f2f6ced91b793856
TrickBot
5f98da253ec5d1ffbbe07b9ee727a8d8162911b70d59d905f2a2f52579f524d2
TrickBot
9a5d5f4144492833b2f5368bf39154e0a5d60914afccbfde1db93cf0cd9db000
TrickBot
abd7a64e1bf9248c1e53f32ea222a1e448132346edb55a3dbca55354bc3488d1
TrickBot
b88d012225e5e8af014bea93cd04c3655f9b46c77f06557a857868ceda46153a
TrickBot
c9a17531e2ae6361f893390f51295609f4a2fde60927a9afeac9a9e0c4fc2660
TrickBot
d423f00832f44b4195a686c691b2f20e55bd4c31145a43561f83f1ea661bfc60
TrickBot
d76bcc765a822ded81cf1518ab3d65e08cc42ccf946d9381d1115934abe6fed5
TrickBot
+ 3'957 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib157 banker trojan
Link:
https://tria.ge/reports/211001-r2f1kscab7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
4e1949554ba0ce37d06bd858d4cb571409f120c7b1187c5d073d4f5006646423
MD5 hash:
5cde577255b755033179343a6c9843c4
SHA1 hash:
98ce72f77b2c5c8a72d545168ba53f6de630da11
Link:
https://www.unpac.me/results/7a4ab09a-6bd1-4387-ad5c-5b26d78bba75/
SH256 hash:
54a1d037605d911a1207fa73f4d198203f81dd655702c4e23af0320d9e923274
MD5 hash:
e3c965864b986b9c9fd11e9d6aa6c040
SHA1 hash:
868ac1989debcf6373064759ba20dce95982775e
Link:
https://www.unpac.me/results/7a4ab09a-6bd1-4387-ad5c-5b26d78bba75/
SH256 hash:
4feeb0400c877326b4bf39694b71d621a0ac2f08264d956422f9b8cd081cc8a2
MD5 hash:
7ac21fea3c5e20bdba78843ab472cd4c
SHA1 hash:
55ce36e09967c3a96c67d70031c51cff17fd793a
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7a4ab09a-6bd1-4387-ad5c-5b26d78bba75/
SH256 hash:
3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e
MD5 hash:
893f97d878cbd7574ad706c96aee01b3
SHA1 hash:
0f80d76eb098945ca596e811a24978dc4298a19c
Link:
https://www.unpac.me/results/7a4ab09a-6bd1-4387-ad5c-5b26d78bba75/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3cdd741fb186/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194019/

Comments


Avatar
zbet commented on 2021-10-01 14:40:40 UTC

url : hxxp://45.86.74.185/images/eflyairplane.png