MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc
SHA3-384 hash: c9eb87b5e9f1595b30575f51c7043b413919231ed82d187c01f78c38e18ba70c1d38c1bdaf418998da43cd56a4796257
SHA1 hash: b1642d3e191fcfc8f8e7fb3f92ef96d0e9a6df21
MD5 hash: eabf5c79acd95765bc2e51e6ae44adb8
humanhash: robin-march-football-ten
File name:eabf5c79acd95765bc2e51e6ae44adb8.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:450'783 bytes
First seen:2020-08-04 16:33:47 UTC
Last seen:2020-08-05 07:02:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f659b493cd16246e9de665422422669b (62 x TrickBot)
ssdeep 6144:GcgG+DlDlDlPKa4cjcZ70+7FQrH+48PiR5zcak:v+dKa4cjcaDr+48PQ5z
Threatray 5'076 similar samples on MalwareBazaar
TLSH F6A48E11FD630042D829057C086A4438DF1B2F7AFD39AA125FC1BE4F47B61666AA5B3F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38852/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.20303.30840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Delayed writing of the file
Deleting a recently created file
Launching a process
Connection attempt
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/409796
Signature
Allocates memory in foreign processes
Delayed program exit found
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc/
Threat name:
Win32.Trojan.Ditertag
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 16:35:05 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05419cb584d67a251d98a302aebeda680806e178d9aecb9265bc1e48dc8897bf
TrickBot
4a8e724787fe19de01666f5ec11febceb8dffbd79da8a7645af6315587048936
TrickBot
55c935b724a8106ccabf0287e1d763ed83a54d899ef0d916c38742341b734607
TrickBot
59c462b186c2d8258a8cc2645f1b24ac91a53e7f49ad91b4e6f7a904736ed1cf
TrickBot
5a4a2a701a5a2ac0af435c31e273d8910d2feacc3a77a9328900c472ddd1d285
TrickBot
88630567d7dd2637746dc17849ad03bbd8c52cd749aef31d30752cd4e8da7801
TrickBot
b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db
TrickBot
b6edc51053088f5d94cec4f62253cb8676f1b5b450a2c0da9562639eb73f45cd
TrickBot
d73a4b780ce969ae7256258aafcf0ef472b6afb8ea3b527ce38cf686a479570d
TrickBot
e6d0cd4425a0d27fa8b175b4545a77a5b543dbe21d0ff28a948f75b0519fafa0
TrickBot
+ 5'066 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200804-rfydkfyq2x/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424217/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38852/
  
URLhaus
https://urlhaus.abuse.ch/url/424501/

Comments