MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781
SHA3-384 hash: 1eb5d1fb5966f4a0ae14ad1b51121a018acf094071942c95fa1ce7ca74f25132d9eebc2af400e9e6a7301936668b8c0a
SHA1 hash: a2ee2742e6d68aabb042db14d752bb52bb494f37
MD5 hash: 248e481c88ebc02dcd6879f09f117384
humanhash: crazy-network-golf-saturn
File name:248e481c88ebc02dcd6879f09f117384.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:544'768 bytes
First seen:2021-10-13 09:30:10 UTC
Last seen:2021-10-13 11:24:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ffc20f0bbd3f72a6061b1c2845bbf7b5 (4 x TrickBot)
ssdeep 6144:lJsQ8zcWR976/rrs+zmrY6v9w25rcv4hUhYjSUkPp5DIbT6oweUis:bvOR976Da5lZAv6hjA/cMVis
Threatray 3'939 similar samples on MalwareBazaar
TLSH T18BC4BF273850DCF2D1012576C9A2A3F5AFAC7A185FD3511BB3901B9ED9318A39E305EE
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197142/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16807.1665.7110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/6166a7579fb4d8593d637430/reports/0b16e2c2-9038-4c51-97cf-eb581990759f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/020dec7a-5cfe-4e86-9ac2-b54842806b39
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869525
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501950 Sample: 1s2X5qQkGz.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 3 other signatures 2->53 7 1s2X5qQkGz.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 57 Writes to foreign memory regions 7->57 59 Allocates memory in foreign processes 7->59 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 41 36.89.228.201, 443, 49747, 49748 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 12->41 43 36.92.59.93, 443, 49763, 49813 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 12->43 45 4 other IPs or domains 12->45 61 Hijacks the control flow in another process 12->61 63 May check the online IP address of the machine 12->63 65 Writes to foreign memory regions 12->65 67 2 other signatures 12->67 20 svchost.exe 11 12->20         started        25 svchost.exe 12->25         started        signatures7 process8 dnsIp9 35 109.87.143.67, 443, 49823, 49834 TRIOLANUA Ukraine 20->35 37 178.151.205.154, 443, 49817, 49828 TRIOLANUA Ukraine 20->37 39 9 other IPs or domains 20->39 27 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->27 dropped 29 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->29 dropped 31 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->31 dropped 33 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->33 dropped 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 01:25:00 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1bc4f950c935d6e994835daa1ff2a69cefffc29486032913b101213e0469e843
TrickBot
3222c4bd58311ea4b19245c446cf2088c12824b73d643b3a12b153bc3d818e35
TrickBot
42d570cd852e4bc909f7b72cdaf45b43a43f32b07364bda976e2b00ee9b385a7
TrickBot
89ca80bfb1e0cc9eaee8334a130f79824b8f450482ad71797657f4df145042e0
TrickBot
b278fa8838fbba987d404016dc4e83c5177d64ebe4e9e230eeb7a5e6bbb51dee
TrickBot
b942174fb012bc3563ee7621e10f69e70a985e5b0894d439eb1465092a00bde4
TrickBot
f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18
TrickBot
+ 3'929 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib163 banker trojan
Link:
https://tria.ge/reports/211013-lg2tnadhb2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
36.91.117.231:443
36.89.228.201:443
103.75.32.173:443
45.115.172.105:443
36.95.23.89:443
103.123.86.104:443
202.65.119.162:443
202.9.121.143:443
139.255.65.170:443
110.172.137.20:443
103.146.232.154:443
36.91.88.164:443
103.47.170.131:443
122.117.90.133:443
103.9.188.78:443
210.2.149.202:443
118.91.190.42:443
117.222.61.115:443
117.222.57.92:443
136.228.128.21:443
103.47.170.130:443
36.91.186.235:443
103.194.88.4:443
116.206.153.212:443
58.97.72.83:443
139.255.6.2:443
Unpacked files
SH256 hash:
4bd212fd496a378bbde0b03048df865239a55a5e5b546ec85d42bf7fe46047a1
MD5 hash:
7b966bc59c3cfdf4557fdbaad61975a6
SHA1 hash:
aa2ace439efa3a013e98e446a1ee0f39a050fb07
Link:
https://www.unpac.me/results/9c44e414-7448-4cd7-90b2-0b4c1645b5b9/
SH256 hash:
d3dd517c0e9e9ceb860e4e17ed63ac6d8248e65df221ada0ceac61766e313a94
MD5 hash:
2d8453d7abd01b1daf453f5f4775b45f
SHA1 hash:
7e6d8b780141153447a3636ad36c3eed38fa638c
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c44e414-7448-4cd7-90b2-0b4c1645b5b9/
Parent samples :
5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781
f14c7926c27a7ea9fd096db1c9a13a6ddf04a3179240efa1945babf98cc3388c
d1461a019fd382d8790a0ff43d259b631ceaa0d2c9e314a450302c53c2b842c8
SH256 hash:
626213e0418b73e968491e777f3d343d6da58dd4ae19c458b95cadef649cb060
MD5 hash:
9a1fca9697126722b77491f56ecb1760
SHA1 hash:
0d39340333a1d67e590cc140dac94c87a9e4c501
Link:
https://www.unpac.me/results/9c44e414-7448-4cd7-90b2-0b4c1645b5b9/
SH256 hash:
5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781
MD5 hash:
248e481c88ebc02dcd6879f09f117384
SHA1 hash:
a2ee2742e6d68aabb042db14d752bb52bb494f37
Link:
https://www.unpac.me/results/9c44e414-7448-4cd7-90b2-0b4c1645b5b9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5925ecddcc4b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 5925ecddcc4b4ea9017aad9abe70dfc47bb6aa63bd01a84536a8cd3cc039d781

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1655282/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197142/

Comments