MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c
SHA3-384 hash: 8cf8acbfd950d5e952a42a7dc131a784c270d271ccae6707f97bc881c27ba0aa5d714125dd52469b8d66c9e0e93f6a1b
SHA1 hash: 4d360a229338a5801cdb9708e0b860c51883b545
MD5 hash: 8334af22cdc122dadce3b10f7b9b9d45
humanhash: triple-fifteen-washington-black
File name:8334af22cdc122dadce3b10f7b9b9d45.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:803'351 bytes
First seen:2020-09-11 05:29:22 UTC
Last seen:2020-09-11 06:43:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dc88155a00ae749ca86929ba8dffd0 (23 x TrickBot)
ssdeep 12288:KbQ5Gmpe+jNBNF8KegmyC+cbGxRt4tIUcOWTFLR3q69zvEQIXE:KcFjZB38KeUC+cbYRt4UB9rhYE
Threatray 2'855 similar samples on MalwareBazaar
TLSH 32059E23AD40B44ADA0B0CB15DFD5A7918363C2164156D4BB2D5BE8C2CB2AD36DF932F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Agent.EWFR.7433.27734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Connection attempt
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/463822
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c/
Threat name:
Win32.Trojan.TrickbotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-11 05:31:05 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5hae7lkioaroapz645wtz32qpsrgnsfokcpw6jf3s7nogytqiga._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05b662e6e0ee03a3e2b87b14fcda6e28f8e048b62f5baeb698068b85d83b1181
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
51c6e8784fe2faa618b8b7df5df29d627c8070c8c793bec66df8449f8cff1e2d
TrickBot
57d1d4ea8ba37942a6c6e2db8190d2daf105dec86c5533e7b816c4faa2891c3e
TrickBot
6d18824807eff95fa0f954a096e12956fe309244582383c9e36756e3370ed208
TrickBot
7b3850e39e8474d1f218df0d2ba21a3315759ebed9b40957f6336d313103ffb6
TrickBot
7eb79859f61d8c17c2311867019dca95098df7f55c0ef00580f1cf7fa904a99f
TrickBot
843a9782dab6e69053e6f7bef20491fb3b6756919aa0001522d532a4368831fe
TrickBot
912790d045d0e672bfb1069b453c50e22f1ab7b5d728c364ac3c5cdd05e85c4e
TrickBot
bea4a28914661d6b96f19150a9231d4718a4566ac737c2703c146dd04cf594b9
TrickBot
+ 2'845 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200911-zd6p322s4e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/459871/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58573/

Comments