MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade
SHA3-384 hash: 497d7457278dac6477485d4c01ec8a8035d1eb41f55a2a21554c4e8605df5a19c66d32360128249f758f1cd56ae490ae
SHA1 hash: 2e37bd35342b1e90cdfa7fd22d779d09b983d5a3
MD5 hash: eec52d33ec7b607e95ff20b0e586acae
humanhash: william-nitrogen-crazy-wolfram
File name:eec52d33ec7b607e95ff20b0e586acae.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:888'832 bytes
First seen:2021-10-16 14:33:29 UTC
Last seen:2021-10-16 15:59:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3d730d77f19513c17bee56cad3fbfd5 (7 x TrickBot)
ssdeep 12288:DEMkCMMFkUED6ANs4ZD9V63Az2hPmy+khUzJUZ/:m+ED6+xZzkmiig
Threatray 4'157 similar samples on MalwareBazaar
TLSH T12E15C01A3AF1C076C5A291700FF67B6AB6F9ED605B378AC753804E4D6D31DC1463A23A
File icon (PE):PE icon
dhash icon 60f0f0b0e8b270d4 (7 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
629
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eec52d33ec7b607e95ff20b0e586acae.exe
Verdict:
Malicious activity
Analysis date:
2021-10-16 14:39:34 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/8c4f9e8d-72a2-4e3d-8d24-454dfcf14763

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197897/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.79085.23259.8472.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware keylogger packed wacatac
Link:
https://www.filescan.io/uploads/616ae2dcdb358dd15ebd3c3c/reports/f67a6ee6-0446-493b-a74b-bf4bbd58fec4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e9f2284-e48b-41f2-85e4-7647666f77ac
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871593
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504017 Sample: iWT2ZGcs2L.exe Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Trickbot 2->41 7 iWT2ZGcs2L.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 12 wermgr.exe 4 7->12         started        17 cmd.exe 7->17         started        19 iWT2ZGcs2L.exe 10->19         started        21 conhost.exe 10->21         started        process5 dnsIp6 29 36.95.23.89, 443, 49756, 49757 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 12->29 31 186.235.48.8, 443, 49781 InorpelIndNordestinadeProdEletricosLtdaBR Brazil 12->31 33 5 other IPs or domains 12->33 27 C:\Users\user\AppData\...\iWT2ZGcs2L.exe, PE32 12->27 dropped 47 May check the online IP address of the machine 12->47 49 Tries to detect virtualization through RDTSC time measurements 12->49 51 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->51 53 Multi AV Scanner detection for dropped file 19->53 55 Writes to foreign memory regions 19->55 57 Allocates memory in foreign processes 19->57 23 wermgr.exe 19->23         started        25 cmd.exe 19->25         started        file7 signatures8 process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 14:34:06 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2j5zqq64civs226z6wayudw4fh766dboir4whqzujugy4it7lpa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
27b4bd24ec5cf5572e9d78239316dc41e9197f6fcf09f5a303cc48a581d26e11
TrickBot
567f3596efedff8475d2a21640284f3c12c3053521e9e280ad425f0d5062fc17
TrickBot
5e91d76dc15ec1b53ea0db50584da6444a01876d563c25dfa1baa17cf93b00c6
TrickBot
6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8
TrickBot
8a7386f0067ff73121af22414532c2b1ba5b586d2482a73ab47242636b02cabc
TrickBot
df16e5de8f0a2d2dd9ef3cc8cc2b544840ade7aca0e9067220d512b2ff697f00
TrickBot
+ 4'147 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot166 banker trojan
Link:
https://tria.ge/reports/211016-rw458achaj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
36.91.117.231:443
36.89.228.201:443
103.75.32.173:443
45.115.172.105:443
36.95.23.89:443
103.123.86.104:443
202.65.119.162:443
202.9.121.143:443
139.255.65.170:443
110.172.137.20:443
103.146.232.154:443
36.91.88.164:443
103.47.170.131:443
122.117.90.133:443
103.9.188.78:443
210.2.149.202:443
118.91.190.42:443
117.222.61.115:443
117.222.57.92:443
136.228.128.21:443
103.47.170.130:443
36.91.186.235:443
103.194.88.4:443
116.206.153.212:443
58.97.72.83:443
139.255.6.2:443
Unpacked files
SH256 hash:
e83c124f308702363ea50f9474620008482b84047361d42e9e57a40a161ef807
MD5 hash:
f51b01c70e629fc919f59303e55515df
SHA1 hash:
9a4ca92cde685b73c848854e7375a9c08aad094e
Link:
https://www.unpac.me/results/04cbc046-cec4-4e7a-ac49-1ea79167968e/
SH256 hash:
726ae48362c4941dee2215428cd89ed2956857188f16779ea345484943d3b70e
MD5 hash:
e8fc58e87aea616060ea98c204f56e90
SHA1 hash:
96420cca217fbb8eb595dfa56c2a7a02c827b06c
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/04cbc046-cec4-4e7a-ac49-1ea79167968e/
Parent samples :
4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade
8862d2bf6ac21cae36860cee8dcc0ca5c2de17349b03ff6e309edb967b3cefb3
6db7642e42467842b97947426d78418e58c1e0b25f125ce0faa8bfa6436a70b2
9890dddc8087d395c5eab7410880b35d3e790d11ab08f2b4a039818e814f21ed
SH256 hash:
d1868db8b6d686f0eeb4fd9431ff5c9fed40ff6b35b75ec99922e25a1e164f29
MD5 hash:
2a96920e246b9f7b799bfb75c22ef6be
SHA1 hash:
b0e39f043d8df1b98ebb8d9f4eff97e1997d6d6c
Link:
https://www.unpac.me/results/04cbc046-cec4-4e7a-ac49-1ea79167968e/
SH256 hash:
4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade
MD5 hash:
eec52d33ec7b607e95ff20b0e586acae
SHA1 hash:
2e37bd35342b1e90cdfa7fd22d779d09b983d5a3
Link:
https://www.unpac.me/results/04cbc046-cec4-4e7a-ac49-1ea79167968e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4e93dcc21ee0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1655281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197897/

Comments