MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4
SHA3-384 hash: 0bb214edf234a00c20595faa0df8702c3b398efbc288d612f41b50c611ed311fea1ea887c55eb7416823c287f9eda85a
SHA1 hash: bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96
MD5 hash: 2a48228a37fe7bf1cf3f147d07884e30
humanhash: uncle-nine-hydrogen-don
File name:REQUEST FOR QUOTATION_NEW ORDER URGENTLY NEEDED.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:940'032 bytes
First seen:2022-12-09 18:22:34 UTC
Last seen:2022-12-09 19:28:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:eijfgpFKJM3kEirzajXBJnORbhVjSFoSF4:eSK3Ore7bnAbhVjSFr4
Threatray 5'767 similar samples on MalwareBazaar
TLSH T1AA155BD577F2A06EF48B725264183A9DDC35B943734BE14667733B1082D88FFAA98483
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344790/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17996.28167.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Creating a process with a hidden window
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63937d07e2c1ea9defe997be/reports/77b40191-9d60-43a5-b131-47e114d1f197/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c014d71-b929-49ad-b504-02e9db035a42
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131628
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 764352 Sample: REQUEST FOR QUOTATION_NEW O... Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 91 mail.shubhdacargo.com 2->91 97 Antivirus detection for dropped file 2->97 99 Sigma detected: Scheduled temp file as task from temp location 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 8 other signatures 2->103 12 REQUEST FOR QUOTATION_NEW ORDER URGENTLY NEEDED.exe 7 2->12         started        16 vkl.exe 2->16         started        18 vkl.exe 2->18         started        20 FblUSm.exe 3 2->20         started        signatures3 process4 file5 83 C:\Users\user\AppData\Roaming\FblUSm.exe, PE32 12->83 dropped 85 C:\Users\user\...\FblUSm.exe:Zone.Identifier, ASCII 12->85 dropped 87 C:\Users\user\AppData\Local\...\tmpFCDA.tmp, XML 12->87 dropped 89 REQUEST FOR QUOTAT...NTLY NEEDED.exe.log, ASCII 12->89 dropped 115 Adds a directory exclusion to Windows Defender 12->115 117 Injects a PE file into a foreign processes 12->117 22 REQUEST FOR QUOTATION_NEW ORDER URGENTLY NEEDED.exe 4 4 12->22         started        26 powershell.exe 21 12->26         started        28 schtasks.exe 1 12->28         started        30 schtasks.exe 16->30         started        32 vkl.exe 16->32         started        34 schtasks.exe 18->34         started        36 vkl.exe 18->36         started        119 Machine Learning detection for dropped file 20->119 signatures6 process7 file8 77 C:\Program Files (x86)\vkl.exe, PE32 22->77 dropped 79 C:\Users\user\AppData\Local\...\install.vbs, data 22->79 dropped 81 C:\...\vkl.exe:Zone.Identifier, ASCII 22->81 dropped 111 Creates autostart registry keys with suspicious names 22->111 38 wscript.exe 1 22->38         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        47 conhost.exe 34->47         started        signatures9 process10 signatures11 109 System process connects to network (likely due to code injection or exploit) 38->109 49 cmd.exe 1 38->49         started        process12 process13 51 vkl.exe 5 49->51         started        54 conhost.exe 49->54         started        signatures14 105 Adds a directory exclusion to Windows Defender 51->105 107 Injects a PE file into a foreign processes 51->107 56 vkl.exe 51->56         started        59 powershell.exe 51->59         started        61 schtasks.exe 51->61         started        process15 signatures16 113 Installs a global keyboard hook 56->113 63 wscript.exe 56->63         started        67 wscript.exe 56->67         started        69 wscript.exe 56->69         started        75 5 other processes 56->75 71 conhost.exe 59->71         started        73 conhost.exe 61->73         started        process17 dnsIp18 95 System process connects to network (likely due to code injection or exploit) 63->95 93 mail.shubhdacargo.com 162.215.248.64, 49699, 49700, 49701 PUBLIC-DOMAIN-REGISTRYUS United States 67->93 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 18:23:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsmirejsn3vj4x7iv2vjh75t64abxu6nubekokvsjsfvjxiygtsa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
11990c08ba3e1eb0f464d9850bb76696a89f95c0368e3634488139f25b96bf42
TrickBot
2bb8b8717844a531b62af7b3a84d1457e749803babec6b25c473626006e4a85a
TrickBot
2ce431fd24a816b14cf7bc9110b959addbe592c8994c7cc8f5b83b8b836ccd93
TrickBot
556db57800de1a678ad62a5d6c85e2de783f3965429679a5c0f584ca3bc483ed
TrickBot
645133b4edd49ca521a1474f406ad09ac6c2511a7abb49279681da9c25e19275
TrickBot
66bfee7c40de7f8f6e9d20b337fc22d9eec1a5a1764d3b29c26639ebdeeddc71
TrickBot
672b918c5c82cfed617eeca2ab662854d2e9feef0031f7a72025962f3ee867ca
TrickBot
90a12c6f1f1a444359902cea58e65e053edc3997be8b5b564a06a5072c0e334e
TrickBot
b222eba2cd4a7a37d8b38083130df60200958d6cd0175c8e827e30a6b434c452
TrickBot
d5c2951b5fada26015c7b4520529d7c24f285aaccdae3768956513c86cf4195d
TrickBot
+ 5'757 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221209-w1f2eadg28/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9af956ee-25f2-43cb-8680-0a3f028fdf92
Unpacked files
SH256 hash:
6ff3beed2c57abfa3bdcd808c0cdc44edd9829cdfeeaed1e10c1a6a11639790c
MD5 hash:
cca2a783e8bcf08dc24ae1518747497a
SHA1 hash:
9c77f92525bad32efc05609b287e28c0e956a8bf
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
SH256 hash:
81b3921d6580c3025c20274a87cc57b05c603c6107ca026b3dee11136aa39382
MD5 hash:
29b8922be984c0a3eb3310a08d16415f
SHA1 hash:
7ca5e3052e6124d93890e34714f26a503bdb93c1
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
SH256 hash:
cbef72168046429408bc58810d2df75ffa1bac891d0479cd48f4dd8a90b29f7e
MD5 hash:
5cc56fcc00647a3cc3b66183102f6d94
SHA1 hash:
78378a58a4399d67bcbdc0714b37010b8a18a980
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
SH256 hash:
922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50
MD5 hash:
1ecb63625d636b0b8f8ebdece9fa80c3
SHA1 hash:
5623d5ad21fc63893011bae7e4709c51219fcc1c
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
SH256 hash:
bdbefbbae38577901fd8437b40f78ada592b5d1c1fa9b1a799765da7161def02
MD5 hash:
26742ff5afd7f6615cfa3f62ab31c50d
SHA1 hash:
61bed74861da0cf0ec3cfde7da3ef72a9f593ab3
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
SH256 hash:
1b9ac0ae8bb12c824f44ef06d9a1b2f2ecd6ad4f82817db1d774856998ef3be8
MD5 hash:
c7c6e394d491e6733d1cf2daac138cd2
SHA1 hash:
8bba572830765982b1f23a1c5ee6ce6014e8c0b1
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
SH256 hash:
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4
MD5 hash:
2a48228a37fe7bf1cf3f147d07884e30
SHA1 hash:
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96
Link:
https://www.unpac.me/results/ff18c548-9782-4ef9-b4bd-f6e94445ca38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Executable exe 4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/344790/

Comments