MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f
SHA3-384 hash:	011240305b4c13bf84ef86318bee0efa8844477a0d332259414b7716c91c743afe64a8b47828bd36f3a7cc522bcb4b2a
SHA1 hash:	dc9dfc77669f05bb2e8997f160f3e4b2d4ff91df
MD5 hash:	3c7a3e39984d3eba8e79fc01cb5be27a
humanhash:	high-bakerloo-victor-failed
File name:	3c7a3e39984d3eba8e79fc01cb5be27a.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	626'688 bytes
First seen:	2020-12-30 08:57:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3e4de0cd8bd30fa08ee6154c7cfb846b (13 x TrickBot)
ssdeep	6144:tQHW5DoP0QHWkPUIFFMeLHEJ9ihYR0sRRpOHRD5yuuLpV0XY:tlDXiFMyu9ihYRV8HRD5Hg0XY
Threatray	2'978 similar samples on MalwareBazaar
TLSH	8DD4CF606F80E842F2655432553A5BB81E386C23BC560C1BE755FE5D2DB89CB2DE232F
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

445

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3c7a3e39984d3eba8e79fc01cb5be27a.exe

Verdict:

Malicious activity

Analysis date:

2020-12-30 09:08:30 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/6a1f966c-36d6-444e-98a8-7d592e8c8088

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109955/

Detection(s):

SecuriteInfo.com.Trojan.Packed.140.22015.29749.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Sending a UDP request

Deleting a recently created file

Launching a process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Trickbot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/572016

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2020-12-30 08:58:07 UTC

AV detection:

14 of 48 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nfxzunjo37l5fd3dw24iysx6zokgqe5o55gljo6bfr63iykahn7q._file

Verdict:

malicious

Label(s):

emotet

trickbot

TrickBot

1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10

TrickBot

422ec6207733ec310bfe7029ab5123c8d1fe0a0ff869331caeb327175156d22b

TrickBot

449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93

TrickBot

51c2e947522399b8074d5862d8d32257264ae8e39f1d07923085e7b96821109f

TrickBot

5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de

TrickBot

678bd8881dff4cea0b6ff82f8fa2308dbdae666b95978c6ee03c9e422cbc32c8

TrickBot

6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5

TrickBot

7d974d5a314a19adf76cdd29618acbfb6a61d1cbbdf150ca1c62b88cda9e79dc

TrickBot

f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee

TrickBot

+ 2'968 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:mor7 banker trojan

Link:

https://tria.ge/reports/201230-cyxgxvby1x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449

Unpacked files

SH256 hash:

696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f

MD5 hash:

3c7a3e39984d3eba8e79fc01cb5be27a

SHA1 hash:

dc9dfc77669f05bb2e8997f160f3e4b2d4ff91df

Link:

https://www.unpac.me/results/0953e28f-13d1-482d-9904-751f321946fc/

SH256 hash:

78e805e8f4e54d9fbb73032f1b2ded580a47e6a7fb5ced306a64ad2c64071cf9

MD5 hash:

f3b67149eba61472473aad149be8cfe7

SHA1 hash:

5b001a09d152fbd8e53035e58fd3cb6d06b6390f

Detections:

win_trickbot_auto

Link:

https://www.unpac.me/results/0953e28f-13d1-482d-9904-751f321946fc/

SH256 hash:

04b23280aa91e932c3428397e559a1fd0cd505a6f540b412b32676e6c18474ec

MD5 hash:

e0644070100fd058005e1b43ef7e8034

SHA1 hash:

d42800d706d83b0c96c9b54db49d5e6b2dd9703c

Detections:

win_trickbot_a4

win_trickbot_auto

Link:

https://www.unpac.me/results/0953e28f-13d1-482d-9904-751f321946fc/

Parent samples :

422ec6207733ec310bfe7029ab5123c8d1fe0a0ff869331caeb327175156d22b
1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10
678bd8881dff4cea0b6ff82f8fa2308dbdae666b95978c6ee03c9e422cbc32c8
449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5
cd498b2426b6783c4f1560b0db54783b4ec8b590db1a3bb23e1207263749ee28
696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

exe 696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/945143/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/109955/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample