MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58
SHA3-384 hash:	bcea7349af9da030b5e5350d4b5be119825667e83008d402376cbf0c6faf1a26133c88586b6225c94495d0955c14e888
SHA1 hash:	22dbbe0a4e071dc4b85a9c048c2221b90023dc9c
MD5 hash:	180da095d8555127d0b820955514e835
humanhash:	august-island-leopard-beryllium
File name:	00283_938983 - Copy (7).js
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	16'671 bytes
First seen:	2021-08-05 15:58:20 UTC
Last seen:	2021-08-05 16:45:03 UTC
File type:	js
MIME type:	text/plain
ssdeep	192:D1FVvtsL/0+OMym44ImnbrlUcypn1VY3woCuvaM3:DbXLMJV/JS+33L93
TLSH	T146727F6CABC1F447739C0F23AF101BE9C176ACD395C8769B89583A5D19DA31BC6B1CA0
Reporter	abuse_ch
Tags:	3362289 js rob120 TrickBot

abuse_ch

TrickBot payload URLs:
http://colegasonline.com/excel.php
http://colegasonline.com/dHAfdxR.img

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.ISB.Downloadergen80.20027.3623.UNOFFICIAL

Result

Verdict:

UNKNOWN

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58/

Threat name:

Script-JS.Downloader.SLoad

Status:

Malicious

First seen:

2021-08-05 12:51:32 UTC

File Type:

Text (JavaScript)

AV detection:

5 of 28 (17.86%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l65sibidmsfsirxsuood46ypuz5lxl5aeocz3difkamvtdym3nma._file

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/210805-4829ekt7le/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Blocklisted process makes network request

Malware Config

Dropper Extraction:

http://colegasonline.com/excel.php

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5fbb24050364/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

js 5fbb240503648b2446f2a39c3e7b0fa67abbafa023859d8d055019598f0cdb58

(this sample)

TrickBot

DLL dll bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942

URLhaus

https://urlhaus.abuse.ch/host/colegasonline.com/

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942

Dropping

MD5 7c44e0a43e508476eda5f699d39a0c7f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample