MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8
SHA3-384 hash: 95a98d71aa4ce83903bbd74d7052ff5356991edcb3092d6f733452b0e4801bbcba68774bec20736def14f3d1b7ef7c75
SHA1 hash: 52d3ccd0e5c484505e4d7e5ca96ceb301ce974f9
MD5 hash: 0cd5d49bfd3eaeab2805bf5874ef00dc
humanhash: oxygen-alabama-india-muppet
File name:0cd5d49bfd3eaeab2805bf5874ef00dc
Download: download sample
Signature TrickBot
Create hunting rule
File size:446'464 bytes
First seen:2021-10-13 20:22:31 UTC
Last seen:2021-10-13 21:03:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 535fa6479108b5163f64223c5e835312 (4 x TrickBot)
ssdeep 12288:C4jg5ZqdXUR7j+6khm14Qwxj+R4QBbfwxkZoLKl/n:Cf5ZqdXUR7j+6mpQwhQyId
Threatray 1'108 similar samples on MalwareBazaar
TLSH T19594E102B1E88E76E1630A3D0EE497345EF6FF745B36D59367D17A1F2E321880D252A2
File icon (PE):PE icon
dhash icon 8080c470b05c2c0c (4 x TrickBot)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
416
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0cd5d49bfd3eaeab2805bf5874ef00dc
Verdict:
Malicious activity
Analysis date:
2021-10-13 20:25:55 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/0ef6e331-9bb8-4cfb-8c87-e91adb818236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197380/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21715.30754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/616740281c2d58ba74054262/reports/c9ef63bf-9d44-48c7-a357-7a7b74b3d38f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a16627cc-6e6f-4090-96a2-ee74703447cd
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870023
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502449 Sample: My9L6EU0zY Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 7 My9L6EU0zY.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 12 wermgr.exe 4 7->12         started        17 cmd.exe 7->17         started        19 My9L6EU0zY.exe 10->19         started        21 conhost.exe 10->21         started        process5 dnsIp6 31 177.75.5.222, 443, 49781 NetworldProvedoreServicosdeInternetLtdaBR Brazil 12->31 33 103.75.32.173, 443, 49762, 49763 ELYZIUM-ASElyziumTechnologiesPvtLtdIN India 12->33 35 4 other IPs or domains 12->35 29 C:\Users\user\AppData\...\My9L6EU0zY.exe, PE32 12->29 dropped 49 Writes to foreign memory regions 12->49 51 Tries to detect virtualization through RDTSC time measurements 12->51 53 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->53 23 svchost.exe 12->23         started        55 Allocates memory in foreign processes 19->55 25 wermgr.exe 19->25         started        27 cmd.exe 19->27         started        file7 signatures8 process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 20:24:48 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbi6qxmpmb2l3lzfdjaovn4kayb5i7ikpclea3itfxtrfgqvpgua._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0304fe2f5cbac1cc2e79bdbc8daa3824d6a8eb139f4d5bec7b57358cd4de8252
TrickBot
0c447e49621b34d77ed3787c07cf0e52d2db4c33a113fb6aa9074df277fdf1eb
TrickBot
264d7d0ebc4021d88ade472d059651d2b5b622badf6b7bc98c95216767533e98
TrickBot
4cb721ef0fd70063bb71ae083ba40871e6fb2095467d43cc15629c14bd794919
TrickBot
5787c6b7af7d648a2dd1caae5a73e9c92c38c061edb282d4189e51d5e2a79c49
TrickBot
61d1417ece7c1bbd2fd4ca685fc92c5239fa8ced521b90cd92cebc983d4fcc5e
TrickBot
98190daef6fabe0513518943ffbc9abcaf4dd7c0bfd37bc996fbbe261d831b3c
TrickBot
b278fa8838fbba987d404016dc4e83c5177d64ebe4e9e230eeb7a5e6bbb51dee
TrickBot
dcb653aeaf898f1a4eb946eec4f03649b50a4bed4258f1dbed96b12e9974c727
TrickBot
decd474e4c808ac1a3255e1b6aecab359028bbadb6852f9ff70b33fdea648978
TrickBot
+ 1'098 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot164 banker trojan
Link:
https://tria.ge/reports/211013-y55axafahp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
36.91.117.231:443
36.89.228.201:443
103.75.32.173:443
45.115.172.105:443
36.95.23.89:443
103.123.86.104:443
202.65.119.162:443
202.9.121.143:443
139.255.65.170:443
110.172.137.20:443
103.146.232.154:443
36.91.88.164:443
103.47.170.131:443
122.117.90.133:443
103.9.188.78:443
210.2.149.202:443
118.91.190.42:443
117.222.61.115:443
117.222.57.92:443
136.228.128.21:443
103.47.170.130:443
36.91.186.235:443
103.194.88.4:443
116.206.153.212:443
58.97.72.83:443
139.255.6.2:443
Unpacked files
SH256 hash:
f710308ed0348a583030bc6b089e60912b4a6a1f80d017a31c9579e20e686e3e
MD5 hash:
106cc6b2ece1fa62b37d4118211dbfe7
SHA1 hash:
bdc0f0d113e5ef8d166c3b5efb39a7ebb9eef4d0
Link:
https://www.unpac.me/results/96a98198-830a-4d4e-8c0c-7c3dc01dead9/
SH256 hash:
a58fd07e3296f15fcd778bfcdd310f12df610d6a05fcd2b3745f8ef7a9f3e459
MD5 hash:
b8d437ef59bc88dd42e1621a1d058fc4
SHA1 hash:
7d698c9832b555cbf7667aa41a2dde0bd2b270ed
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/96a98198-830a-4d4e-8c0c-7c3dc01dead9/
Parent samples :
567f3596efedff8475d2a21640284f3c12c3053521e9e280ad425f0d5062fc17
0e7df40748bc25633fdbff4ae313acb3e5c3a9325e9a9de2afa6e832a2797004
6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8
8a7386f0067ff73121af22414532c2b1ba5b586d2482a73ab47242636b02cabc
SH256 hash:
42d25095cbd0ebbfb290277090cb94a681850c42a2d0a41b1e2d965b107288b9
MD5 hash:
199bc0dd16fb1016be5a20bc2d0382e4
SHA1 hash:
378f2c5e501d2acf4438b0ac2d5fefba6dd6bc27
Link:
https://www.unpac.me/results/96a98198-830a-4d4e-8c0c-7c3dc01dead9/
SH256 hash:
6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8
MD5 hash:
0cd5d49bfd3eaeab2805bf5874ef00dc
SHA1 hash:
52d3ccd0e5c484505e4d7e5ca96ceb301ce974f9
Link:
https://www.unpac.me/results/96a98198-830a-4d4e-8c0c-7c3dc01dead9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6851e85d8f60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 6851e85d8f6074bdaf251a40eab78a0603d47d0a7896406d132de7129a1579a8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197380/

Comments


Avatar
zbet commented on 2021-10-13 20:22:32 UTC

url : hxxp://51.195.192.116/images/esmallruby.png