MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528
SHA3-384 hash: e2efd24a59b454344c94dd5cc8571a6ad9c44486ba9875b63df348669ccf34f876cec60c986ed94a57c4ff2d5f796448
SHA1 hash: 068d94769cb2f41ec502d7e004fc5f4aeb8f9284
MD5 hash: a915d76c4494efea9c6b39250604d7c5
humanhash: beer-pennsylvania-bulldog-pennsylvania
File name:UJFcKUqgmf.bin
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'044'542 bytes
First seen:2021-05-24 17:04:44 UTC
Last seen:2021-05-24 18:03:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66f30f63084b0523f8f1d74dbceef0e7 (1 x TrickBot)
ssdeep 12288:oToYaQdlYuZS6QR6OC8VF+Uth3dXeEtvUELxGkz9ab8srQpERFd:oToBkmpAOC82qh3Pt8ELxZKVRFd
Threatray 754 similar samples on MalwareBazaar
TLSH 8A256D8E678A4122D4EE05F287716F7EFA7EEF269313EE07134842BB2435439474562B
Reporter j_dubp
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UJFcKUqgmf.bin
Verdict:
Malicious activity
Analysis date:
2021-05-24 17:03:08 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/54d9120c-4d20-4806-a1e2-84ed94dbe09a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Deleting a recently created file
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/790610
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=in6qw5pwpqmmckrv3haodizpyv5ue2bu7jg7mpzq6eolc7osiuua._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
13bebdb4628ed345121aaaae5c512e528d01f3cca6da932c165a7d261c0f0356
TrickBot
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
TrickBot
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
TrickBot
4e2afdf4b77dc7fb7b36668f5ea70189a73f5acb78ba234d31b02b30227179ff
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
8884ecb5d8ec36160ccbd0f22bd4bbef25648fc66bcb0c42403a5c93051dbcd1
TrickBot
f17f19350c6dbcf733c1d2fed10e8c853ac3af5117e8dc8122f06c87bd41d19f
TrickBot
f5e103d4ae71ed138bc80e4a7a909c26ad6be88238269643141d3f5043e4ff13
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 744 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob88 banker trojan
Link:
https://tria.ge/reports/210524-hd232kjt5e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments