MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
SHA3-384 hash: 45d7aedf68e24d779f8c1b923724f40ed6fc126a44dd3694d76be133e3930886d16ec9216e1ac45f9f6985902618838c
SHA1 hash: e69b24e44991d6d9a2e707f19757d8b2a6222e74
MD5 hash: 89ae5e21d6cf455f467cfaf62350848c
humanhash: bacon-twelve-mars-mobile
File name:5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
Download: download sample
Signature TrickBot
Create hunting rule
File size:163'808 bytes
First seen:2020-10-24 21:04:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:SH46pwuexbq0J2uKpQTbFgq5xvhPFFPZ31C72Bm+UgkrS2n2icz:04weEu7FhPbPZ319nkF
Threatray 1 similar samples on MalwareBazaar
TLSH 17F312F74CB6D793FB4861B7A3B27B0D7D1D4684CA5A0F66E3096C38D19CAF8A484106
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75254/
Detection(s):
Win.Malware.Cerbu-6992546-0
Create hunting rule

Win.Malware.Cerbu-6992551-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508709
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Trickbot e-Banking trojan config
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303472 Sample: KI4i5NDzGg Startdate: 24/10/2020 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 7 other signatures 2->42 7 KI4i5NDzGg.exe 3 2->7         started        11 LJ4i6NEzHg.exe 2->11         started        13 LJ4i6NEzHg.exe 2->13         started        process3 file4 26 C:\Users\user\AppData\...\LJ4i6NEzHg.exe, PE32 7->26 dropped 28 C:\Users\...\LJ4i6NEzHg.exe:Zone.Identifier, ASCII 7->28 dropped 46 Delayed program exit found 7->46 15 LJ4i6NEzHg.exe 7->15         started        48 Hijacks the control flow in another process 11->48 50 Writes to foreign memory regions 11->50 52 Allocates memory in foreign processes 11->52 18 svchost.exe 11->18         started        54 Injects a PE file into a foreign processes 13->54 20 svchost.exe 13->20         started        signatures5 process6 signatures7 56 Antivirus detection for dropped file 15->56 58 Multi AV Scanner detection for dropped file 15->58 60 Hijacks the control flow in another process 15->60 62 5 other signatures 15->62 22 svchost.exe 3 3 15->22         started        process8 dnsIp9 30 80.93.182.201, 443 SELECTEL-MSKRU Russian Federation 22->30 32 209.121.142.202, 449 ASN852CA Canada 22->32 34 3 other IPs or domains 22->34 44 Creates autostart registry keys with suspicious names 22->44 signatures10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2018-06-21 11:45:12 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
evasion trojan banker family:trickbot persistence
Link:
https://tria.ge/reports/201024-sk255fz1tx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Windows security bypass
Malware Config
C2 Extraction:
209.121.142.202:449
5.102.177.205:449
209.121.142.214:449
95.161.180.42:449
203.86.222.142:443
173.220.6.194:449
179.107.89.145:449
46.20.207.204:443
69.122.117.95:449
68.96.73.154:449
185.42.192.194:449
189.84.125.37:443
68.227.31.46:449
107.144.49.162:443
46.72.175.17:449
144.48.51.8:443
46.243.179.212:449
81.177.255.76:449
37.230.112.67:443
92.53.78.159:443
92.53.77.41:443
185.159.130.203:443
91.235.129.76:443
37.46.128.226:443
185.249.255.77:443
37.230.114.164:443
109.234.37.39:443
89.223.31.103:443
80.93.182.201:443
Unpacked files
SH256 hash:
5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
MD5 hash:
89ae5e21d6cf455f467cfaf62350848c
SHA1 hash:
e69b24e44991d6d9a2e707f19757d8b2a6222e74
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c02ffb5-ab4d-48da-bc46-cc7a14b42f91/
SH256 hash:
c39f4ee0608a434569db0163725a4366ddb35e375e58168831b89f140fb1e2ff
MD5 hash:
fa7011ca344a9028625d4224a3db0e03
SHA1 hash:
b5dce9a475a1676e9c816aa14a8ea539b79a15bc
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c02ffb5-ab4d-48da-bc46-cc7a14b42f91/
Parent samples :
23df6c7581b2fe80336763ab3f25db6fdd1c6249b01f75beb58793628eb0c615
c39f4ee0608a434569db0163725a4366ddb35e375e58168831b89f140fb1e2ff
5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/75254/

Comments