MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
SHA3-384 hash: 8c5ec9d4799e9f4376d913f42525b9c53c43219243ad6762f9bf26adfc739d7f070888beed479e9e04109879b8690b09
SHA1 hash: b281f8da746da72039c98312c2f51cb806613ab2
MD5 hash: 97d0ff826db4708c0bf8bff513dda02a
humanhash: arizona-california-lithium-angel
File name:97d0ff826db4708c0bf8bff513dda02a.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:937'984 bytes
First seen:2021-08-12 13:49:06 UTC
Last seen:2021-08-12 15:19:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a36b8c98f8710737441ff391a1167b41 (2 x TrickBot)
ssdeep 12288:ZUKFfy62YznW7A+YTr+PoIIxOeCW33pKAvsrvl5a0R5w5f:1y62YTW7A+PIgO3dviTa0ef
Threatray 3'275 similar samples on MalwareBazaar
TLSH T1C115CF5235B08037C6B25A714E2A2B2DBAFAFD684B7394C363884B5C5971DD11F3633A
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97d0ff826db4708c0bf8bff513dda02a.exe
Verdict:
Malicious activity
Analysis date:
2021-08-12 13:52:32 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/4a6f9d21-092e-41b6-9e9a-4976f3e5c1ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178746/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16471.6452.12946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Launching a process
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfbc3b5c-43c7-413e-b3c3-8d9b2888f806
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831866
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 464299 Sample: JWKipf9mBa.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 7 JWKipf9mBa.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 32 105.27.205.34, 443, 49747, 49770 SEACOM-ASMU Mauritius 12->32 34 46.99.175.149, 443, 49740, 49746 IPKO-ASAL Albania 12->34 36 6 other IPs or domains 12->36 52 Hijacks the control flow in another process 12->52 54 May check the online IP address of the machine 12->54 56 Writes to foreign memory regions 12->56 58 2 other signatures 12->58 20 svchost.exe 5 12->20         started        signatures7 process8 file9 24 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->24 dropped 26 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->26 dropped 28 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->28 dropped 30 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->30 dropped 46 Tries to harvest and steal browser information (history, passwords, etc) 20->46 signatures10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 13:50:05 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqryuesbkdobfgf5ni2h5briwuokfvnoasybqetquwjiv3oghlmq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1bc4f950c935d6e994835daa1ff2a69cefffc29486032913b101213e0469e843
TrickBot
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
TrickBot
367cd9c4f987db35c45539316388a22110adff7b0d0e51f63ceb4034a0037bfb
TrickBot
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7
TrickBot
89ca80bfb1e0cc9eaee8334a130f79824b8f450482ad71797657f4df145042e0
TrickBot
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942
TrickBot
+ 3'265 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top112 banker trojan
Link:
https://tria.ge/reports/210812-m2d2f31bza/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
613fbf3b0c8652c3430ec915b722534013a626710c03a99beaf94341e15043bc
MD5 hash:
b13bc7ec0005cc5d0f76fda9e545cab3
SHA1 hash:
c917b3a1d9345769993afa95f617883928d1eaa2
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/03e83a34-187a-4c13-8fa8-7a5156c888da/
Parent samples :
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
SH256 hash:
2a1099cc7aa68bd94e8070016a6affeb6df9969085a1aaf452fe9120ba4b8513
MD5 hash:
ece9d04a8ad470dd68590cdc2f153b81
SHA1 hash:
a919055c7a7204499ae38cae5ce29d066e0d05ad
Link:
https://www.unpac.me/results/03e83a34-187a-4c13-8fa8-7a5156c888da/
SH256 hash:
60feadf65540b1bbaa825f434efa78386c58a23424a201d8e48d9d5a5ac2ec03
MD5 hash:
d3e615b0555b49c7c821038033ede1cd
SHA1 hash:
37a9f4a19abb324481fba79648a7c0ead3fa1e16
Link:
https://www.unpac.me/results/03e83a34-187a-4c13-8fa8-7a5156c888da/
SH256 hash:
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
MD5 hash:
97d0ff826db4708c0bf8bff513dda02a
SHA1 hash:
b281f8da746da72039c98312c2f51cb806613ab2
Link:
https://www.unpac.me/results/03e83a34-187a-4c13-8fa8-7a5156c888da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6c238a124150/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/178746/
  
URLhaus
https://urlhaus.abuse.ch/url/1522101/
  
Delivery method
Distributed via web download

Comments