MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48004e1a43344b272e186b0074655191dbf5520c746871b458e97dd519bd1e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48004e1a43344b272e186b0074655191dbf5520c746871b458e97dd519bd1e8d
SHA3-384 hash: 80e0a4caae5e519677e6871e20753ec1596b2d0f6c49c34af08dfb06d37a4b307fb12031fd3ab1a59aa8a108011fc4f6
SHA1 hash: 81e32b9cc3cf419f6aa5ba6a9edd24933263baee
MD5 hash: 309e28851c72eb9041773b0bffa3aad3
humanhash: april-mirror-oven-cup
File name:266ONO60DDT.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:450'953 bytes
First seen:2020-08-05 07:02:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f659b493cd16246e9de665422422669b (62 x TrickBot)
ssdeep 6144:GcgG+DlDlDlPKa4cjcZ70+7FQrH+48PiR5zcake:v+dKa4cjcaDr+48PQ5zh
Threatray 5'076 similar samples on MalwareBazaar
TLSH 50A48E11FD630042D829057C086A4438DF1B2F7AFD39AA125FC1BE4F47B61666AA5B3F
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39030/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.20303.30840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Delayed writing of the file
Deleting a recently created file
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/410276
Signature
Allocates memory in foreign processes
Delayed program exit found
Found malware configuration
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48004e1a43344b272e186b0074655191dbf5520c746871b458e97dd519bd1e8d/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 22:10:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jaae4gsdgrfsolqynmahizkrshn7kuqmoruhdncy5f65kgn5d2gq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05419cb584d67a251d98a302aebeda680806e178d9aecb9265bc1e48dc8897bf
TrickBot
4a8e724787fe19de01666f5ec11febceb8dffbd79da8a7645af6315587048936
TrickBot
55c935b724a8106ccabf0287e1d763ed83a54d899ef0d916c38742341b734607
TrickBot
59c462b186c2d8258a8cc2645f1b24ac91a53e7f49ad91b4e6f7a904736ed1cf
TrickBot
5a4a2a701a5a2ac0af435c31e273d8910d2feacc3a77a9328900c472ddd1d285
TrickBot
667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc
TrickBot
88630567d7dd2637746dc17849ad03bbd8c52cd749aef31d30752cd4e8da7801
TrickBot
b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db
TrickBot
b6edc51053088f5d94cec4f62253cb8676f1b5b450a2c0da9562639eb73f45cd
TrickBot
e6d0cd4425a0d27fa8b175b4545a77a5b543dbe21d0ff28a948f75b0519fafa0
TrickBot
+ 5'066 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200805-2f5zlj412j/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48004e1a43344b272e186b0074655191dbf5520c746871b458e97dd519bd1e8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 48004e1a43344b272e186b0074655191dbf5520c746871b458e97dd519bd1e8d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/39030/
  
URLhaus
https://urlhaus.abuse.ch/url/424217/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/424507/

Comments