MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
SHA3-384 hash: fc9b02f7788ef112732b69efd56b01066367bb542e12fec13eedd815df27b5d1ecec98fb22e730bf3e83b71a2b325e01
SHA1 hash: 59040824a53fd84a3023a49776b6fd6f7c0eff75
MD5 hash: c851268dcaafc321400f565979a4df2b
humanhash: ack-ten-johnny-hydrogen
File name:mingup.png
Download: download sample
Signature TrickBot
Create hunting rule
File size:434'304 bytes
First seen:2021-01-05 23:55:56 UTC
Last seen:2021-01-06 02:12:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fb6fb94e4b762fed1b02b86bf34a8b0b (7 x TrickBot)
ssdeep 6144:XWr/Zk+YqAipOQkh+y5NT+rtdLkA42HHiptpz4nrIBIdP1FD+k0lXIFjIiNj4unI:XWrxk+3OQPPlky63kQu0mfAok/Oe
Threatray 84 similar samples on MalwareBazaar
TLSH 8C94122246C6BA19ECE74CF8B79F8BEA20045B759B7819877E617D2C91F1081E414A3F
Reporter malware_traffic
Tags:exe lib5 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mingup.png
Verdict:
Suspicious activity
Analysis date:
2021-01-05 23:27:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9875de4a-39b3-485f-9cc1-94a445ce50d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110634/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trickbot.gm.18643.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574706
Signature
Allocates memory in foreign processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336411 Sample: mingup.png Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->88 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 6 other signatures 2->94 10 mingup.exe 4 2->10         started        14 mingup.exe 1 2->14         started        process3 file4 62 C:\Users\user\AppData\Roaming\...\mingup.exe, PE32 10->62 dropped 64 C:\Users\user\...\mingup.exe:Zone.Identifier, ASCII 10->64 dropped 104 Detected unpacking (changes PE section rights) 10->104 16 mingup.exe 1 10->16         started        19 conhost.exe 10->19         started        106 Writes to foreign memory regions 14->106 108 Allocates memory in foreign processes 14->108 21 conhost.exe 14->21         started        23 wermgr.exe 14->23         started        signatures5 process6 signatures7 80 Detected unpacking (changes PE section rights) 16->80 82 Machine Learning detection for dropped file 16->82 84 Writes to foreign memory regions 16->84 86 2 other signatures 16->86 25 wermgr.exe 1 16->25         started        process8 dnsIp9 72 36.89.191.119, 449, 49725, 49729 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 25->72 74 222.124.7.150, 447, 49731, 49752 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 25->74 76 5 other IPs or domains 25->76 96 Hijacks the control flow in another process 25->96 98 Writes to foreign memory regions 25->98 100 Tries to detect virtualization through RDTSC time measurements 25->100 102 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->102 29 cmd.exe 11 25->29         started        34 cmd.exe 1 25->34         started        36 BackgroundTransferHost.exe 13 25->36         started        signatures10 process11 dnsIp12 78 186.47.209.222, 443, 49751, 49757 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 29->78 66 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 29->66 dropped 68 C:\Users\user\AppData\...\Login Data.bak, SQLite 29->68 dropped 70 C:\Users\user\AppData\Local\...\History.bak, SQLite 29->70 dropped 110 Tries to harvest and steal browser information (history, passwords, etc) 29->110 38 conhost.exe 29->38         started        112 Performs a network lookup / discovery via net view 34->112 40 net.exe 1 36->40         started        42 ipconfig.exe 1 36->42         started        44 net.exe 1 36->44         started        46 4 other processes 36->46 file13 signatures14 process15 process16 48 conhost.exe 40->48         started        50 net1.exe 1 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 46->56         started        58 conhost.exe 46->58         started        60 conhost.exe 46->60         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461/
Threat name:
Win32.Trojan.Deapax
Create hunting rule
Status:
Malicious
First seen:
2021-01-05 23:56:06 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf
TrickBot
389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b
TrickBot
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
TrickBot
6361151666574cd30d1feb4ed90e3253060d77ca062f9eb31d82179d15eded95
TrickBot
67fd7b558dbe2ca38784a714fcc63fe3a291228dccb0ea7c6b684f1910c66533
TrickBot
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
TrickBot
b6317c86864cc8dc3ff1364a536919dd3cf8fa6f16ee21df6fb81fa5220a3399
TrickBot
ccf93828e1b44a75820989d72a2c019ae3b0a98944bf9eb1884e77f16050c53f
TrickBot
+ 74 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib5 banker trojan
Link:
https://tria.ge/reports/210105-gds654e4ba/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
MD5 hash:
c851268dcaafc321400f565979a4df2b
SHA1 hash:
59040824a53fd84a3023a49776b6fd6f7c0eff75
Link:
https://www.unpac.me/results/347b9533-9a49-471d-8c13-eb11425bc44e/
SH256 hash:
6bc68d59684793707033848293ab5b2d99d273ea1b1d5f0a882adc3a4e509a33
MD5 hash:
940fe71b699dc60c0ac5be0dc764d89d
SHA1 hash:
fed1b470d9e1a588cd7e0333c60ea0036a78077e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/347b9533-9a49-471d-8c13-eb11425bc44e/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
SH256 hash:
cbf677f1684c3fadc16307e56d6dcf8ea3af21f63e3f511f5ceeffc48b3c82cd
MD5 hash:
6212184b9f5a28363de451cdcd664e09
SHA1 hash:
c014037b0e9634644d995d0a11a7f1b41639327a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/347b9533-9a49-471d-8c13-eb11425bc44e/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/110634/

Comments