MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
SHA3-384 hash: 65234697a64e5325e8ecf567c5f390bbe3a3356c1f4fbfc44a215f22999b379af2de6a09bacce8449e1c181fdd651871
SHA1 hash: 356cffd1e9238381b9ee7a1dd815ebad1f0c59e6
MD5 hash: 6eb19c3eb3c0c754d0c688cca6654306
humanhash: zulu-west-failed-mobile
File name:Trickbot-gtag-rob3.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:348'160 bytes
First seen:2020-11-11 22:45:44 UTC
Last seen:2020-11-12 00:45:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 146bef9b868bcd12a3ffcb7738a4340b (1 x TrickBot)
ssdeep 6144:RTeygQhNrSM4KTHgG3QjpvxT7n+GQa+auwkAQQTWlUJID4xYoY6jrRK2V:RTrhNriKTHgGg1ZX+GqaXkArW2qDgYeP
Threatray 2'902 similar samples on MalwareBazaar
TLSH 61741306B0E1CCB2D9AA40364CD6AE59577BF0310FB09AC76B54564F9F393D1AA3E212
Reporter malware_traffic
Tags:exe rob3 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Armadillo-65
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Delayed writing of the file
Deleting a recently created file
Launching a process
Connection attempt
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/530793
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c/
Threat name:
Win32.Trojan.EmotetCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 23:35:37 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05b662e6e0ee03a3e2b87b14fcda6e28f8e048b62f5baeb698068b85d83b1181
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
34873d81dc7a0468d941294a1c62f9bb9e110d0f333f55de2da41ac6ead400d7
TrickBot
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
TrickBot
58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103
TrickBot
5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998
TrickBot
7eb79859f61d8c17c2311867019dca95098df7f55c0ef00580f1cf7fa904a99f
TrickBot
d5efc42f10137cb465bcc098f0a3f5440a86ae59059526c6fb4bfce46bf1be83
TrickBot
ea5c72bce7e028a6b2f9febd90751bf0e323da00b4b0d68be2a52ed21fe2a4d0
TrickBot
faaa0098ad3de31c95506576653962bf783bdf347b6d22255d707561e30c5350
TrickBot
+ 2'892 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob3 banker trojan
Link:
https://tria.ge/reports/201111-1ak5ymb34j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Trickbot
Malware Config
C2 Extraction:
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Unpacked files
SH256 hash:
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
MD5 hash:
6eb19c3eb3c0c754d0c688cca6654306
SHA1 hash:
356cffd1e9238381b9ee7a1dd815ebad1f0c59e6
Link:
https://www.unpac.me/results/6675693c-8073-400b-8133-b75c8c3ecfe5/
SH256 hash:
09eee332faccffcee7e5b1a80573a178acd9d558bd56d865f668d4b5d635a708
MD5 hash:
98fa47fc3b2a5d77f5e8dc62a2c1a820
SHA1 hash:
d99ab03e7c01975e64f7b645e552b5f7add15b08
Link:
https://www.unpac.me/results/6675693c-8073-400b-8133-b75c8c3ecfe5/
SH256 hash:
67c117bbdb79216f8400438d80bffbc3b7e9f49c343db8e1c4d04d1c586ae743
MD5 hash:
11deffacf8cee5da8057661c066a7167
SHA1 hash:
167dd8f87d64a8cf72776f2f9696f37f299aba9a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/6675693c-8073-400b-8133-b75c8c3ecfe5/
SH256 hash:
6c4eee978ce5c2e934d4a55065ae92c0ef83e2ea4ecd75a5c99463961e776f6f
MD5 hash:
b8cd6d215b649a8e86e76252d61ba077
SHA1 hash:
a59a28e0836091ecb1e009afd6fc23a45708831b
Link:
https://www.unpac.me/results/6675693c-8073-400b-8133-b75c8c3ecfe5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments