MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab
SHA3-384 hash: 78ed41034b6c1bf8dec938fc5d2ba6b215434f5eec2ff01971b592022b80216247abcf85a6057069e34708c39bd0e1e8
SHA1 hash: 2648f4d92659f4e9095d5eb979e55de0f2738232
MD5 hash: 98a3dc1b2061b7ade1a1ccb2ba662261
humanhash: charlie-jupiter-harry-batman
File name:98a3dc1b2061b7ade1a1ccb2ba662261.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:442'368 bytes
First seen:2021-10-02 15:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 220580f49c2724e661575b7bf3bd58ea (13 x TrickBot)
ssdeep 6144:h0lJVu5xP+oVEm8NG/wBHRSIAR9687dX9szOHMVT+R6NWPFgQAXaneCrvD:h0lJ4jP1zwn+96sdX9szOHMVFCgaJj
Threatray 1'286 similar samples on MalwareBazaar
TLSH T1C594F1123AE0C877D0A745314EF58B79B6BAFB504F318A6F23D90F1E1D31A518A26376
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
98a3dc1b2061b7ade1a1ccb2ba662261.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-02 15:58:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a5b5998-1b3a-4477-acd6-2696442f38b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194212/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.94.18802.1683.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/711a4c1c-e7ec-464c-ab19-cf101b6e98e0
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863222
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495650 Sample: yZTj8HfAuq.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Yara detected Trickbot 2->53 55 2 other signatures 2->55 7 yZTj8HfAuq.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 conhost.exe 10->18         started        process5 dnsIp6 43 46.99.175.217, 443, 49753, 49755 IPKO-ASAL Albania 12->43 45 ip.anysrc.net 116.203.16.95, 49754, 80 HETZNER-ASDE Germany 12->45 47 6 other IPs or domains 12->47 63 Hijacks the control flow in another process 12->63 65 May check the online IP address of the machine 12->65 67 Writes to foreign memory regions 12->67 69 2 other signatures 12->69 20 svchost.exe 11 12->20         started        25 svchost.exe 12->25         started        27 svchost.exe 12->27         started        signatures7 process8 dnsIp9 37 203.109.82.172, 443, 49789, 49815 YOU-INDIA-APYOUBroadbandCableIndiaLtdIN India 20->37 39 103.201.142.30, 443, 49786, 49812 WORLD-ASWorldStarCommunicationIN India 20->39 41 24 other IPs or domains 20->41 29 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 20->29 dropped 31 C:\Users\user\AppData\...\Login Data.bak, SQLite 20->31 dropped 33 C:\Users\user\AppData\Local\...\History.bak, SQLite 20->33 dropped 35 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 20->35 dropped 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 15:56:12 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
135dfd26acc2ab044b4159e7e0da289e2c7835c4049100106a00ca7d232bddea
TrickBot
491c684460b41e06321c3589818a48e376b4a2c9028ae88e0c16050919e13ecb
TrickBot
944c18692e200c4de70817facee4fd8662c99743d64e57e43dd3f212d68e8003
TrickBot
a3169da61f96b181fc44fd514040fce58c1cc54dd9fb31da42fc2a98db0de7a6
TrickBot
bdce492e4d57278c61292d96fc20f8de5d9649cc2acc243b89243204d183be1f
TrickBot
be73990affb5a559127094b6869889e821b872eeb774940af74b44ee3b503054
TrickBot
d76bcc765a822ded81cf1518ab3d65e08cc42ccf946d9381d1115934abe6fed5
TrickBot
f61db22354e7f73c3bdcd0465608a2c27e182426bc1b1cafd3e2e134965fe7eb
TrickBot
fd26c012af2d0325a5eb2397fa3b6b36b8480dc99a6f7b81b8a6423b029ca03b
TrickBot
fdbbfcaac090ccd1b7ce3289ea862e5c8f0ced4318f368db0e6976df950e9706
TrickBot
+ 1'276 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lip128 banker trojan
Link:
https://tria.ge/reports/211002-tdcpcsedf8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
23ae510114d7208fd61245f6dff8b7b2ab035b171a2fa93c6accd5d2c4ec4389
MD5 hash:
1a6003138f3e18fb4d8b6ed115030c68
SHA1 hash:
e7efe42efc6a60deef79795f5e68e137fbc8b7f8
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9baa2180-507f-4b09-8fcf-85988e902091/
Parent samples :
6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab
7c483138404aad6662938e6e4c100ad9b18ec636011b2dcd96607016d918c938
af3346ae78376e9b1a0025c938af5b4dd75842181e30b4ea6a4801f75fe07140
52ad00166829d7c43b67ae8304739f9e5f107467d8e964ba10bcb897f40e7e81
82c3c81ea8c5fb605e216367a214caf5573fa2f4fce9cd4f4dbc9baa9ba12fd6
7d588ba83fa25ee7e7911f192df709b8a19872de243ffbfc4c56428d903702e7
SH256 hash:
2823a706f28be8e51e049cd07fae2c742b5225369dbd879ee9df9a2771b8c0bf
MD5 hash:
da364648130c1de330bcb62bc046d986
SHA1 hash:
1150a8f0ae82dbdff16bee3c5feb26ea304de7ff
Link:
https://www.unpac.me/results/9baa2180-507f-4b09-8fcf-85988e902091/
SH256 hash:
507a053b0e1241fca6d1daef4f98e7495ada526c828ac4bf7adb2925002a9b16
MD5 hash:
6bca31e513d5ff68f34edbb4bec8179b
SHA1 hash:
05e957254723bcb5ed81052e352a177d442a9dfa
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9baa2180-507f-4b09-8fcf-85988e902091/
SH256 hash:
6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab
MD5 hash:
98a3dc1b2061b7ade1a1ccb2ba662261
SHA1 hash:
2648f4d92659f4e9095d5eb979e55de0f2738232
Link:
https://www.unpac.me/results/9baa2180-507f-4b09-8fcf-85988e902091/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6cdc2e665bbf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 6cdc2e665bbfecd57123f410b3f244dd1c390322e96d34ee730c8210261c6eab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1650382/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194212/

Comments