MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998
SHA3-384 hash: 12b9545be037ff60943e5e49f1c3daef307463172b3b3246fbee3fd087119a86f7ce76d3b1ff4c769fdffbf9cea081d9
SHA1 hash: 2d39564768b11d8d8cec746443ba4512e1a6842b
MD5 hash: 1b557b166ddf21da002086de783f4aa5
humanhash: six-cardinal-india-happy
File name:SecuriteInfo.com.Trojan.GenericKD.34510675.9302.11487
Download: download sample
Signature TrickBot
Create hunting rule
File size:319'488 bytes
First seen:2020-09-12 09:35:19 UTC
Last seen:2020-11-10 18:01:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bd599f4ce95c5f0673ca100ff07f096 (1 x TrickBot)
ssdeep 6144:WlzD5g2RHwwV36oe3p/+H6+6oqrpw0E9GbImReKnS:ID5ZVDeoa/PEwb16
Threatray 2'848 similar samples on MalwareBazaar
TLSH 4964E157F081C863E10E41B19891DEF566A2ECA54F3198B3E3AAF77E1D316409D3620F
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/58758/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34510675.9302.11487.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Connection attempt
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464700
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-12 06:27:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3b7zi7q7izdfsc2z2hkmicweiyusrjloc7oewlqngcofslodgma._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1b70916e2d3e600ed8f1bb48d9b784669e5c77b9129befb0609425f91880192c
TrickBot
4acc4f2470a14360417676e816b24e0271638410112b7068b3c822db522b5e2b
TrickBot
5abc66f1c2e2fb7c2d74dbaa17cfa47b1a4f4fc576ef7c842bc1de10bf236e5e
TrickBot
5c8356172fa558970b2136a5284da800910c0fef74a75a7eb160874ed3edeec2
TrickBot
6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8
TrickBot
a46867b0d1a681e81886d2ab962209d39d36aa701cdff18b20159a93db40f1ec
TrickBot
b917f1d2b3e003cf83fc2a16e25481c1f4cc12d83b9c5879b98744e4a6ff220e
TrickBot
d194034aea6b209fdb3c39cbe12aa0ce42143ba06e855df83b1f8848f1738acf
TrickBot
f3d2c3f97d52b31f00be046d39ae0ff4dbee7f42c32cbddfca7d613dbb9fb6f3
TrickBot
fbb4e4339bbb0bce98f6de368a927d77cfcd15067f178d80f626da35f9a08981
TrickBot
+ 2'838 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200912-2g9y46qqme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/466900/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58758/

Comments