MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
SHA3-384 hash: 2c16912294662fa8450f0159dd5d83d136cbf1cd5048f1470c5180186cc0f38921a634469a7b6cf3506b625dd9fd966a
SHA1 hash: 42cbd5cbe49e28fbb48f39cfd277be8c1c12fc17
MD5 hash: 7a259490a64411180dd9c14a6c42ff44
humanhash: ten-jersey-ack-yellow
File name:7a259490a64411180dd9c14a6c42ff44.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:434'304 bytes
First seen:2021-01-06 07:54:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb6fb94e4b762fed1b02b86bf34a8b0b (7 x TrickBot)
ssdeep 6144:XWr/Zk+YqAipOQkh+y5NT+rtdLkA42HHiptpz4nrIBIdP1FD+k0lXIFjIiNj4unX:XWrxk+3OQPPlky63kQu0mfAok/ON
Threatray 92 similar samples on MalwareBazaar
TLSH DA94122246C6BA19ECE74CF8B79F8BEA20045B759B7819877E617D2C91F1081E414B3F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a259490a64411180dd9c14a6c42ff44.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-06 08:00:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70276249-f39e-4f5a-996f-706cb5a7607e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110698/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.11016.16598.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574952
Signature
Allocates memory in foreign processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336534 Sample: WZJIuy3UYm.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->75 77 Found malware configuration 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 5 other signatures 2->81 10 WZJIuy3UYm.exe 4 2->10         started        14 WZJIuy3UYm.exe 1 2->14         started        process3 file4 47 C:\Users\user\AppData\...\WZJIuy3UYm.exe, PE32 10->47 dropped 49 C:\Users\...\WZJIuy3UYm.exe:Zone.Identifier, ASCII 10->49 dropped 91 Detected unpacking (changes PE section rights) 10->91 16 WZJIuy3UYm.exe 1 10->16         started        19 conhost.exe 10->19         started        93 Writes to foreign memory regions 14->93 95 Allocates memory in foreign processes 14->95 21 conhost.exe 14->21         started        23 wermgr.exe 14->23         started        signatures5 process6 signatures7 67 Multi AV Scanner detection for dropped file 16->67 69 Detected unpacking (changes PE section rights) 16->69 71 Machine Learning detection for dropped file 16->71 73 3 other signatures 16->73 25 wermgr.exe 1 16->25         started        process8 dnsIp9 59 41.159.31.227, 449, 49724, 49750 Gabon-TelecomGA Gabon 25->59 61 wtfismyip.com 95.217.228.176, 49732, 80 HETZNER-ASDE Germany 25->61 63 5 other IPs or domains 25->63 83 Hijacks the control flow in another process 25->83 85 Writes to foreign memory regions 25->85 87 Tries to detect virtualization through RDTSC time measurements 25->87 89 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->89 29 cmd.exe 11 25->29         started        34 cmd.exe 1 25->34         started        signatures10 process11 dnsIp12 65 186.47.209.222, 443, 49764, 49767 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 29->65 51 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 29->51 dropped 53 C:\Users\user\AppData\...\Login Data.bak, SQLite 29->53 dropped 55 C:\Users\user\AppData\Local\...\History.bak, SQLite 29->55 dropped 97 Tries to harvest and steal browser information (history, passwords, etc) 29->97 36 conhost.exe 29->36         started        38 ipconfig.exe 1 34->38         started        41 conhost.exe 34->41         started        43 net.exe 1 34->43         started        file13 signatures14 process15 dnsIp16 57 192.168.2.1 unknown unknown 38->57 45 conhost.exe 38->45         started        process17
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743/
Threat name:
Win32.Trojan.Deapax
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 07:54:05 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mywyjsfbjbkwcctbmhdax4lpgd2n7w547mvxp22e34g23iide5bq._file
Verdict:
suspicious
Similar samples:
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
TrickBot
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
TrickBot
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
TrickBot
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
TrickBot
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
TrickBot
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
TrickBot
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
TrickBot
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
TrickBot
+ 82 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib5 banker trojan
Link:
https://tria.ge/reports/210106-wgsn483j6x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
MD5 hash:
7a259490a64411180dd9c14a6c42ff44
SHA1 hash:
42cbd5cbe49e28fbb48f39cfd277be8c1c12fc17
Link:
https://www.unpac.me/results/964ae1bd-2187-43df-9209-4e1acb61fa96/
SH256 hash:
6bc68d59684793707033848293ab5b2d99d273ea1b1d5f0a882adc3a4e509a33
MD5 hash:
940fe71b699dc60c0ac5be0dc764d89d
SHA1 hash:
fed1b470d9e1a588cd7e0333c60ea0036a78077e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/964ae1bd-2187-43df-9209-4e1acb61fa96/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
SH256 hash:
cbf677f1684c3fadc16307e56d6dcf8ea3af21f63e3f511f5ceeffc48b3c82cd
MD5 hash:
6212184b9f5a28363de451cdcd664e09
SHA1 hash:
c014037b0e9634644d995d0a11a7f1b41639327a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/964ae1bd-2187-43df-9209-4e1acb61fa96/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110698/

Comments