MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
SHA3-384 hash:	fd6bb8392cd642b7f6233881f1e4c9983a5d9fb9a2ca6adbf5722d6e5db7d6c6d65599ce074ca2117af68b4a86af3a21
SHA1 hash:	b6d54467ad522b46d5d6a58ed4fd31d2c7e68d29
MD5 hash:	bc4916b182234073286e830c2dc2f210
humanhash:	grey-maryland-wolfram-pennsylvania
File name:	bc4916b182234073286e830c2dc2f210.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	626'688 bytes
First seen:	2020-12-30 08:56:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3e4de0cd8bd30fa08ee6154c7cfb846b (13 x TrickBot)
ssdeep	6144:tQHWeDoP0QHWkPUIFFMeLHEJ9ihYR0sRRpOHRD5yuuLpV0XY:tCDXiFMyu9ihYRV8HRD5Hg0XY
Threatray	3'103 similar samples on MalwareBazaar
TLSH	D1D4CF606F80E842F2655432553A5BB81E386C23BC560C1BE755FE5D2DB89CB2DE232F
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

444

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bc4916b182234073286e830c2dc2f210.exe

Verdict:

Malicious activity

Analysis date:

2020-12-30 08:56:50 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/c7fd1134-ab03-429b-a3a2-b511a63af1bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109948/

Detection(s):

SecuriteInfo.com.Trojan.Packed.140.20778.15117.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Sending a UDP request

Deleting a recently created file

Launching a process

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Trickbot

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/572023

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2020-12-30 08:57:03 UTC

AV detection:

14 of 48 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lsikjbaremdi6lvtjm56i74opwglmqe53s4e6notdlhkmyukhhpa._file

Verdict:

malicious

Label(s):

emotet

trickbot

TrickBot

1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10

TrickBot

3a214b848b9d317e2c8dfdc7a2e55ee7893b6e4aadc335992d3425480c7eb8b6

TrickBot

422ec6207733ec310bfe7029ab5123c8d1fe0a0ff869331caeb327175156d22b

TrickBot

449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93

TrickBot

678bd8881dff4cea0b6ff82f8fa2308dbdae666b95978c6ee03c9e422cbc32c8

TrickBot

6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5

TrickBot

696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f

TrickBot

7d974d5a314a19adf76cdd29618acbfb6a61d1cbbdf150ca1c62b88cda9e79dc

TrickBot

f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee

TrickBot

+ 3'093 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:mor7 banker trojan

Link:

https://tria.ge/reports/201230-x247acsp7x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449

Unpacked files

SH256 hash:

5cf896bcb29527a0b87f01c4995fe847824508b34c46d3d878cb2d379f33bc00

MD5 hash:

d7ae5c811200a325221044424996e61e

SHA1 hash:

db655b8b164c622dc5322db3eb2538bf432932e1

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/d81c9f3b-eb9c-493f-834f-7b31233d1b67/

SH256 hash:

04b23280aa91e932c3428397e559a1fd0cd505a6f540b412b32676e6c18474ec

MD5 hash:

e0644070100fd058005e1b43ef7e8034

SHA1 hash:

d42800d706d83b0c96c9b54db49d5e6b2dd9703c

Detections:

win_trickbot_a4

win_trickbot_auto

Link:

https://www.unpac.me/results/d81c9f3b-eb9c-493f-834f-7b31233d1b67/

Parent samples :

422ec6207733ec310bfe7029ab5123c8d1fe0a0ff869331caeb327175156d22b
1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10
678bd8881dff4cea0b6ff82f8fa2308dbdae666b95978c6ee03c9e422cbc32c8
449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5
cd498b2426b6783c4f1560b0db54783b4ec8b590db1a3bb23e1207263749ee28
696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f

SH256 hash:

5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de

MD5 hash:

bc4916b182234073286e830c2dc2f210

SHA1 hash:

b6d54467ad522b46d5d6a58ed4fd31d2c7e68d29

Link:

https://www.unpac.me/results/d81c9f3b-eb9c-493f-834f-7b31233d1b67/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

exe 5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/945143/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/109948/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample