MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f
SHA3-384 hash:	f54d15682c28784fbda7259cd59749992cd13662c414d53393ad37162f320184cbc83482a489a7c3899413ca2cb6fe79
SHA1 hash:	927fa3c865e2b888503993b9a5b3516746d1feaa
MD5 hash:	c29fd72969e4d542f8ed7f0a57141423
humanhash:	ten-south-king-sad
File name:	54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	1'560'576 bytes
First seen:	2021-06-30 19:28:23 UTC
Last seen:	2021-06-30 20:54:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cff33d60abb2b9ada3b724500411bdc (3 x TrickBot)
ssdeep	24576:RimzrjHy2WUJueLZ1v4414vbqWrbp414TbqWrb:RbfjS2DfZm414+Wrbp414KWrb
Threatray	3'340 similar samples on MalwareBazaar
TLSH	68756A10B260D033F6B12672893AD9F3D975FD128A2573CBE4D2363C1A3D9D35A25EA1
Reporter	Anonymous
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f

Verdict:

Suspicious activity

Analysis date:

2021-06-30 19:31:07 UTC

Tags:

installer

Link:

https://app.any.run/tasks/2500808a-431c-4378-a36b-b109fd09a170

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/168974/

Detection(s):

SecuriteInfo.com.Variant.Zusy.389140.28309.7541.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

TrickBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e07c0204-5c08-4a89-8008-3c5b969121a3

Result

Threat name:

TrickBot

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/810183

Signature

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-06-18 07:18:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

TrickBot

437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528

TrickBot

7500223b9a23a332ccb85b42ad8536250ba2cbd77ed8cf80c1b1a4ffe6876865

TrickBot

8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64

TrickBot

896b649c68a4c744c0bcab8c1918732ef1c82bb51ffaea777d3035867bd2787a

TrickBot

aaf65f2e4e89ced41e549525ef7f0cba7226c2423d0e5009f3fe79c4418b15f7

TrickBot

be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad

TrickBot

dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e

TrickBot

e6de77762cac57027cd8a45aba09134e37092965645e6e691d37f40f20945f1f

TrickBot

f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606

TrickBot

+ 3'330 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:mod2 banker trojan

Link:

https://tria.ge/reports/210630-9345k6qjkx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

178.72.192.20:443
103.124.145.98:443
45.5.152.39:443
114.7.240.222:443
85.248.1.126:443
94.183.237.101:443
146.196.121.219:443
89.37.1.2:443
94.142.179.77:443
177.221.39.161:443
85.175.171.246:443
103.12.160.164:443
180.178.106.50:443
94.142.179.179:443
46.209.140.220:443
123.231.149.122:443
123.231.149.123:443
182.160.116.190:443
131.0.112.122:443
116.0.6.110:443
103.101.104.229:443
88.150.240.129:443
103.242.104.68:443

Unpacked files

SH256 hash:

d1c4a8bdda47bd4b16ac6c93142c49da30bf361a8662b8b3de6e97f135b1c8c9

MD5 hash:

09ae34300cfc95e2a77da8b55edf17c1

SHA1 hash:

e3bcd692b10c5caf4280ba696bcb3727d34f59f3

Link:

https://www.unpac.me/results/9699ec90-b07c-4c58-b442-fab5b69f74c0/

SH256 hash:

bdb7ddae276074bc52d2d2a2454dfc994f5762e718105c4025a558291caf88ce

MD5 hash:

8b1a856ddb31dd59dc3df146985bc169

SHA1 hash:

703d73013fce882d7fcc611a9045be23c1d166b6

Detections:

win_trickbot_a4

win_trickbot_g6

win_trickbot_auto

Link:

https://www.unpac.me/results/9699ec90-b07c-4c58-b442-fab5b69f74c0/

Parent samples :

be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e
54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f

SH256 hash:

dc2c09ce1a5750a4c3658033a886abe95a5e41222eac2af15e74e38aa4a492bb

MD5 hash:

7fa2539a33771acb7c5a274124bd6dc3

SHA1 hash:

66e4de8c7bafb62f85036e86dffa18eb8d4b7f92

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/9699ec90-b07c-4c58-b442-fab5b69f74c0/

SH256 hash:

54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f

MD5 hash:

c29fd72969e4d542f8ed7f0a57141423

SHA1 hash:

927fa3c865e2b888503993b9a5b3516746d1feaa

Link:

https://www.unpac.me/results/9699ec90-b07c-4c58-b442-fab5b69f74c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/168974/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample