MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
SHA3-384 hash: 052d8b395366739f5f4167498bef088b85a9875c95ebffd1c3aa87d4957c114b32ae41384307d91b6d2623306a059217
SHA1 hash: 95f9bd87449cd84b9ee8c4678d67c3b89f030362
MD5 hash: 022caec7ed77f286c0c5191aaaf75010
humanhash: winner-autumn-bluebird-happy
File name:4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e.bin
Download: download sample
Signature TrickBot
Create hunting rule
File size:724'153 bytes
First seen:2021-06-28 12:26:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:ehqxSLo5C1Ps4XhCMX8XL8PC3SrSal0l/elVxLmss8uIC:eHLmCiIhBSQP0SJignZmss85C
Threatray 1'115 similar samples on MalwareBazaar
TLSH 36F4D002B793C472C5E125311F24D7735739FC250F248B9BA3E40D6BBEAA1926A3D6D2
Reporter JasonMilletary
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e.bin
Verdict:
Malicious activity
Analysis date:
2021-06-28 12:31:57 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/83f6194a-4fef-41b6-bfa5-d068ca11412f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168582/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37ff0683-ebbb-4960-97cf-d108ff459143
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808812
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441223 Sample: PbqV9viBb4.bin Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Suspect Svchost Activity 2->56 58 2 other signatures 2->58 9 PbqV9viBb4.exe 3 8 2->9         started        12 regsvr32.exe 2->12         started        14 svchost.exe 2->14         started        process3 file4 34 C:\Users\user\AppData\Roaming\xps.dll, PE32 9->34 dropped 36 C:\Users\user\AppData\Roaming\xps.vbs, ASCII 9->36 dropped 16 wscript.exe 1 9->16         started        process5 process6 18 regsvr32.exe 16->18         started        signatures7 60 Writes to foreign memory regions 18->60 62 Allocates memory in foreign processes 18->62 21 wermgr.exe 18->21         started        process8 dnsIp9 44 45.239.233.131, 443, 49724, 49734 SPEEDNETFRUTALNETFIBRAEWIRELESSBR Brazil 21->44 46 5.34.74.210, 443, 49736, 49747 KAR-TEL-ASAlmatyRepublicofKazakhstanKZ Kazakhstan 21->46 48 7 other IPs or domains 21->48 64 Hijacks the control flow in another process 21->64 66 May check the online IP address of the machine 21->66 68 Writes to foreign memory regions 21->68 70 2 other signatures 21->70 25 svchost.exe 10 21->25         started        30 svchost.exe 21->30         started        32 svchost.exe 21->32         started        signatures10 process11 dnsIp12 50 12.23.113.92, 443, 49742, 49751 ATT-INTERNET4US United States 25->50 38 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 25->38 dropped 40 C:\Users\user\AppData\...\Login Data.bak, SQLite 25->40 dropped 42 C:\Users\user\AppData\Local\...\History.bak, SQLite 25->42 dropped 72 Tries to harvest and steal browser information (history, passwords, etc) 25->72 file13 signatures14
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 18:37:00 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
01f2c84a70591092d759626abcda56cd89a3f76b51627685df2611e861657a3e
TrickBot
1147a175e30efb3f0bf3c833f3af876684d9892a93396f8124006b17a04b64ed
TrickBot
24dd0b8a2e2faff39ea54abc2654d91fdd7349aad14b0537f4d05a6af0b16ebe
TrickBot
63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0
TrickBot
678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24
TrickBot
7f77b60f4ba221f7a29938d0b3e8f568a4ecb4f010a122770a4173cd96d32c4e
TrickBot
87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4
TrickBot
896b649c68a4c744c0bcab8c1918732ef1c82bb51ffaea777d3035867bd2787a
TrickBot
9daa699ecef632ab2f605bd6917c410f676b22bd173f6ad4ed567fa4ce66d909
TrickBot
d5bbcb4b0242124fd01644dfe1528bbb2107d795d8528b9fff8e53e62f165356
TrickBot
+ 1'105 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:sp1 banker trojan
Link:
https://tria.ge/reports/210628-f2nvblbl16/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Trickbot
Malware Config
C2 Extraction:
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
Unpacked files
SH256 hash:
bfb2f13e8f07065c614542a748ec21de2739644ce5afda59ed7596dbe03092a9
MD5 hash:
35768094658e20133414eb5ef26da938
SHA1 hash:
7dd47efb24d2293ce476e53c146e716030bdbf62
Link:
https://www.unpac.me/results/9d24e0d6-ea0d-4aa8-bf15-abefac5b0a76/
SH256 hash:
cf95846acafaa285ceab1e40b748a3389d163a54d60d779fa3c750f95e36cf43
MD5 hash:
70f15eea01987d660be8b43ee92c8b1f
SHA1 hash:
7dc047d8dbb87b3e5534a77c8a8e6ce0f087adb1
Link:
https://www.unpac.me/results/9d24e0d6-ea0d-4aa8-bf15-abefac5b0a76/
SH256 hash:
56449967b64cc7f694478ed7b8a1b19399dc4628ebb77e7a9d2276845dd13eb5
MD5 hash:
d477c9127940f2c4252d192bdf642233
SHA1 hash:
74a27fce6bb82bd8976109ffb1d46713c3f4d7c4
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9d24e0d6-ea0d-4aa8-bf15-abefac5b0a76/
SH256 hash:
b1da42439f8929efb7eb2e9c46250db9c606822abf9ccf7b60ef46e7c8141eb0
MD5 hash:
64a596ef58ed91394e6a459a044a7d4e
SHA1 hash:
6d95a8218d2f0b45725b97248fc762eac734dcb4
Link:
https://www.unpac.me/results/9d24e0d6-ea0d-4aa8-bf15-abefac5b0a76/
SH256 hash:
3e6f419c537ea2b45f920ba4a0ed86627539510e066ef450d717c63c881a59a1
MD5 hash:
213aef9bb66675281898d2a9a8975b1d
SHA1 hash:
b8705f748c6be5a3728eb60206aa302f4861daa7
Link:
https://www.unpac.me/results/9d24e0d6-ea0d-4aa8-bf15-abefac5b0a76/
SH256 hash:
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
MD5 hash:
022caec7ed77f286c0c5191aaaf75010
SHA1 hash:
95f9bd87449cd84b9ee8c4678d67c3b89f030362
Link:
https://www.unpac.me/results/9d24e0d6-ea0d-4aa8-bf15-abefac5b0a76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168582/

Comments