MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8
SHA3-384 hash: b2374d33f7a3b989a785070489d3a91818013b42e4f69b8e8fd7308a88666d63e251490ac13e789de06bfd64e627907d
SHA1 hash: ba6b692b1b326d190c654c50adb96ed40deb64c2
MD5 hash: 9a7f353a1809f290b52aec98172f4a4f
humanhash: october-twelve-october-pasta
File name:9a7f353a1809f290b52aec98172f4a4f.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:806'912 bytes
First seen:2020-09-11 12:18:49 UTC
Last seen:2020-09-11 12:47:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dc88155a00ae749ca86929ba8dffd0 (23 x TrickBot)
ssdeep 24576:icFjZB3IKeUC+cbYRt4sZ/FTFSM/hhN2a:icF1BgbYRt4sZ/FTFSM/pd
Threatray 2'958 similar samples on MalwareBazaar
TLSH A0058E23ED40B44AEA070CB05DF95AB918362C2264157D4BB2D5BE4C2DB26D36DF932F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Agent.EWFR.29493.16638.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Sending a custom TCP request
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464165
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8/
Threat name:
Win32.Trojan.TrickbotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-11 12:20:11 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nejoyvnpib47l3m3bbic2n6aczhigoqfyxwsoxddfdtukaloypua._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1b70916e2d3e600ed8f1bb48d9b784669e5c77b9129befb0609425f91880192c
TrickBot
3cf985169b9ce680c9ead4415e6eb5f62991ebe22856c53a697bbad1d43bcf5a
TrickBot
4acc4f2470a14360417676e816b24e0271638410112b7068b3c822db522b5e2b
TrickBot
5abc66f1c2e2fb7c2d74dbaa17cfa47b1a4f4fc576ef7c842bc1de10bf236e5e
TrickBot
5c8356172fa558970b2136a5284da800910c0fef74a75a7eb160874ed3edeec2
TrickBot
a46867b0d1a681e81886d2ab962209d39d36aa701cdff18b20159a93db40f1ec
TrickBot
b917f1d2b3e003cf83fc2a16e25481c1f4cc12d83b9c5879b98744e4a6ff220e
TrickBot
d194034aea6b209fdb3c39cbe12aa0ce42143ba06e855df83b1f8848f1738acf
TrickBot
f3d2c3f97d52b31f00be046d39ae0ff4dbee7f42c32cbddfca7d613dbb9fb6f3
TrickBot
fbb4e4339bbb0bce98f6de368a927d77cfcd15067f178d80f626da35f9a08981
TrickBot
+ 2'948 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200911-edllb5n3d2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 6912ec55af4079f5ed9b08502d37c0164e833a05c5ed275c6328e745016ec3e8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/462124/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58672/

Comments