MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments 1

SHA256 hash:	63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0
SHA3-384 hash:	78979993475a31f210b77737c145bae67f9b82db5a1b319db92e02cc180b015d14a6486b3367fe5cfa05da034a7b40d8
SHA1 hash:	64b01d4b244d1ffd021cc7bded22a31126cd4f6f
MD5 hash:	1441d985568ad41f3215e634addd381b
humanhash:	shade-beer-eight-illinois
File name:	1441d985568ad41f3215e634addd381b.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	753'743 bytes
First seen:	2021-05-16 05:08:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ead8b58f090444c7c586af0c5013096 (4 x TrickBot)
ssdeep	12288:AbMr9Z/ztemeK414FB4ycKSHtqAYLHVa+SbwwG:AbaZ/zr414hRSHiHAhbzG
Threatray	3'382 similar samples on MalwareBazaar
TLSH	EEF45A21F101942FF6B005F289B69BF7DEB5EC028D2176D6D7DA36680B3D893462DD82
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1441d985568ad41f3215e634addd381b.exe

Verdict:

Malicious activity

Analysis date:

2021-05-16 05:11:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19e391e8-8d5e-4c57-8705-278b628ed4e5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/157527/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a UDP request

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

TrickBot

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/782960

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-05-15 10:02:14 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mnda3oaevyunmqxn5cy4metjldoa2qwe4utjap6knykhk2nhxhia._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757

TrickBot

241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808

TrickBot

3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18

TrickBot

678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24

TrickBot

697dea4b154178e8de096c66167b539aa4465155d294b11765f1a1886eb7c56d

TrickBot

a8f0fe4419ee163d9230feca6a00693c5f61948159fe869ead51ec3398b7038d

TrickBot

c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2

TrickBot

d1fd867dd79bb803974e18598bdc97cbb8f51acffeb8739ce2f01dff29985803

TrickBot

e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

TrickBot

+ 3'372 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:tot100 banker trojan

Link:

https://tria.ge/reports/210516-dpsz5595xa/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Trickbot

Malware Config

C2 Extraction:

103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_trickbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

exe 63460db804ae28d642ede8b1c6126958dc0d42c4e526903fca6e147569a7b9d0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1191570/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/157527/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-16 06:00:48 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.012] Anti-Behavioral Analysis::Human User Check
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.002] Collection::Polling
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0049] File System Micro-objective::Get File Attributes
6) [C0051] File System Micro-objective::Read File
7) [C0050] File System Micro-objective::Set File Attributes
8) [C0052] File System Micro-objective::Writes File
9) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
12) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
16) [C0040] Process Micro-objective::Allocate Thread Local Storage
17) [C0038] Process Micro-objective::Create Thread
18) [C0054] Process Micro-objective::Resume Thread
19) [C0041] Process Micro-objective::Set Thread Local Storage Value
20) [C0055] Process Micro-objective::Suspend Thread
21) [C0018] Process Micro-objective::Terminate Process