MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments 1

SHA256 hash:	69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d
SHA3-384 hash:	19da335f95bfe7b37804be80ef08bf94fbcc45bc10fbe3846ef6d256dee9ce3a1986e4bf2dead9628cd75bcc2a4a1189
SHA1 hash:	6e26e2ce4ae0b98ba615cb894cc9c25767080775
MD5 hash:	c9964c315a0d85ba4894d541816cf676
humanhash:	oscar-table-tennis-network
File name:	c9964c315a0d85ba4894d541816cf676.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	340'992 bytes
First seen:	2021-05-04 15:30:01 UTC
Last seen:	2021-05-04 17:03:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2c132af889766d2f124bc09146cdd55a (2 x TrickBot)
ssdeep	6144:pFF9MSFuZD4p+e+C6lby/Pn2E5wx4JoV6Hj2fX50QGPlNmE3Ip:rF9MSUZ8p+Qoby/Pkx4WAI12lNmEQ
Threatray	3'165 similar samples on MalwareBazaar
TLSH	DB74F121B6D0D072C0C91530E46ADBB59E2BAE6666B1C1476BC43FBF7F213814F2A356
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.16191.29349.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Sending a UDP request

Connection attempt

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

TrickBot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/710459

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ngkhz7vhkgfkwcjazaktbopgipip2cquwbuguxit3qkqantpa4oq._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

13aa0fdd60e89711b5218497c7264c2ac11553ea7034f646c922fa47e8732928

TrickBot

2912dc387b23031fe0bae16d60c066d1837781b14eacaad14a28bbf69f7f0196

TrickBot

2bc02aabacf3e4ad8d40be9fe0d22deaeee53782f77e2803adcb27b450fa23cf

TrickBot

2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed

TrickBot

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

TrickBot

85cfd42faa485da7e37e87c96a7e19206531a19a37f5cc3edfebd21b5d47d407

TrickBot

b039634cd9719da110e0453ed4f668af7f7de7509bafa9205ae147e8aa1c1896

TrickBot

ea334250dda64c740a8e06ca7c1717e972a0d524011880c7ff05b1e35a881215

TrickBot

f19f135e7f8785f2aa1a6351dcc420194d99b2f69e5323c99b24dcbf6a7ba632

TrickBot

+ 3'155 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:tot93 banker trojan

Link:

https://tria.ge/reports/210504-njx39kr5hs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443

Unpacked files

SH256 hash:

f889748d0d8faedd935a092963f4271a7fa8966284cd45f8e50a8513bc8b01b9

MD5 hash:

6775e33c3b32b60cb0019e6d38cedda8

SHA1 hash:

f8b01facf366564070c33e83ca1833a9353bc001

Detections:

win_trickbot_a4

win_trickbot_auto

Link:

https://www.unpac.me/results/a0c62198-82cd-4617-b453-e9a0032f8b25/

Parent samples :

69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d
7865c13a44bdeacb8679a8f12c67effd6392fd64d44b14ca03a77b10c3150141

SH256 hash:

69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d

MD5 hash:

c9964c315a0d85ba4894d541816cf676

SHA1 hash:

6e26e2ce4ae0b98ba615cb894cc9c25767080775

Link:

https://www.unpac.me/results/a0c62198-82cd-4617-b453-e9a0032f8b25/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

exe 69947cfea7518aab0920c81530b9e643d0fd0a14b0686a5d13dc1500366f071d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1191570/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 16:20:27 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0052] File System Micro-objective::Writes File
5) [C0007] Memory Micro-objective::Allocate Memory
6) [C0040] Process Micro-objective::Allocate Thread Local Storage
7) [C0041] Process Micro-objective::Set Thread Local Storage Value
8) [C0018] Process Micro-objective::Terminate Process