MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48e1eb5e9032f0e8ae1d2845d95ad638a5d1e666e153c0db4d73e8bacd4c1c54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48e1eb5e9032f0e8ae1d2845d95ad638a5d1e666e153c0db4d73e8bacd4c1c54
SHA3-384 hash: be32b47807215c752d695ad63c60940e563bd3849c51f912b57538242715ec037f81db440c239c1165cc3f0c1d940334
SHA1 hash: 92eb6cdf15c126d33e5b2270e93bec987ebf4e47
MD5 hash: eb81c704ff00a0694f0076c975ab5938
humanhash: oranges-princess-high-orange
File name:13687ead846bae3d6dc2187ebf1d00be.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:458'933 bytes
First seen:2020-04-22 06:41:21 UTC
Last seen:2020-04-22 08:51:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d2091b6df8b6ce72e745b9e2d419885d (135 x TrickBot)
ssdeep 12288:QboBb/W9ANGBAFb5i0P6HfewKQLYg0yCxj:4xBAiAHwfzi
Threatray 2'915 similar samples on MalwareBazaar
TLSH 6DA4CF11BAE244E6DC59453C8BE29BB03F79AC10AFD35AD757907D4F68B01C08933AB6
Reporter JoulK
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 48e1eb5e9032f0e8ae1d2845d95ad638a5d1e666e153c0db4d73e8bacd4c1c54

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/343199/
  
URLhaus
https://urlhaus.abuse.ch/url/343393/
  
URLhaus
https://urlhaus.abuse.ch/url/343486/
  
URLhaus
https://urlhaus.abuse.ch/url/345691/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments