MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366
SHA3-384 hash: 343a38c0b4d5e450ff2795e941e2b10f36b6ff25beecb7dc07e12c1deb43920ba7fdbc95a5233c7cc69228fb244748f1
SHA1 hash: 8b45aa42aafd6e2a51e2721a0b8945a823e10f37
MD5 hash: 8758f0d7d50bfd8a4e4e663fedc1b1e3
humanhash: alaska-maine-london-georgia
File name:8758f0d7d50bfd8a4e4e663fedc1b1e3.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'329'220 bytes
First seen:2021-11-21 07:59:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:OQLny3OiG7O5fWcmCM4jBg0nWDqVXF1/Vz897cDH6WboJVIb90It2:OQLy3Z5ecmCMqhnllLNgIHjbiIb9K
Threatray 934 similar samples on MalwareBazaar
TLSH T12655DF337CAC475DC8901B73DD83E27216AE2E5B5AF2C14950F66F878BF01989016F9A
dhash icon 00ccf0d4ccd0dc00 (4 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
793
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8758f0d7d50bfd8a4e4e663fedc1b1e3.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 08:00:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa547fca-1cb7-407b-b7ec-6ae8abb3ef30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Trojan.Generic-9822957-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.MSIL.Krypt.11.1240.9175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
DNS request
Creating a process from a recently created file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien conti overlay packed strictor
Link:
https://www.filescan.io/uploads/6199fc8594a88037d2fc1aff/reports/36fe0cf7-39e5-46af-aa2b-ea7e1e7172fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1d8f9ac-2a97-417c-955a-d9ca6c1996de
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/893219
Signature
Antivirus / Scanner detection for submitted sample
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample is not signed and drops a device driver
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525692 Sample: R3TxaHscru.exe Startdate: 21/11/2021 Architecture: WINDOWS Score: 92 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Trickbot 2->57 59 2 other signatures 2->59 10 R3TxaHscru.exe 1 6 2->10         started        14 rundll32.exe 2->14         started        process3 file4 47 C:\Users\user\AppData\Local\...\Appare.sys, data 10->47 dropped 73 Sample is not signed and drops a device driver 10->73 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        signatures5 process6 signatures7 21 cmd.exe 2 16->21         started        25 conhost.exe 16->25         started        27 certutil.exe 2 16->27         started        61 Obfuscated command line found 18->61 63 Uses ping.exe to sleep 18->63 65 Drops PE files with a suspicious file extension 18->65 67 Uses ping.exe to check the status of other devices and networks 18->67 29 conhost.exe 18->29         started        process8 file9 45 C:\Users\user\AppData\Local\Temp\...\Tua.com, PE32 21->45 dropped 69 Obfuscated command line found 21->69 71 Uses ping.exe to sleep 21->71 31 PING.EXE 1 21->31         started        34 Tua.com 21->34         started        36 certutil.exe 2 21->36         started        38 findstr.exe 1 21->38         started        signatures10 process11 dnsIp12 51 127.0.0.1 unknown unknown 31->51 40 Tua.com 34->40         started        process13 dnsIp14 49 rrrioYNbTRzfc.rrrioYNbTRzfc 40->49 43 Tua.com 40->43         started        process15
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-08-12 02:13:06 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5q5izx5wye72rq3uwlz7k2kscffuhdbgnswnyjrhvkntp2iinta._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
TrickBot
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
TrickBot
29b9058449c81cf5aaa57316c620d80a48e2161d583c6e9351b8c44899315505
TrickBot
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
TrickBot
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
TrickBot
76cde08b521a97baf4aebab068d5c41fa03821dc4c4170a791ebbdcb6a26de64
TrickBot
7817a0794693ad5eaffdc86ca9d8cf7350f9159433d376840e9f6cb6b9c60edc
TrickBot
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
TrickBot
e4c860ba85358041e3ca90b9b94f10499392e4c6db71bd13c59fa8559e2b848b
TrickBot
+ 924 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob1 banker persistence trojan
Link:
https://tria.ge/reports/211121-jvz6wadfal/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
85.204.116.83:443
91.200.100.143:443
83.151.14.13:443
107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
207.246.92.48:443
216.128.130.16:443
45.79.126.97:443
45.79.155.9:443
45.79.212.97:443
45.79.253.142:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
Unpacked files
SH256 hash:
f2d271ce7c39810845c109a67213f9f2db32bbe6e87de61d0ac8f48f14114152
MD5 hash:
e3c71891fb7ae305bae0808acf19329d
SHA1 hash:
1b48128139ea5e390edba9733ffd5f85a130c941
Link:
https://www.unpac.me/results/f21f2d90-441a-460d-9fc2-84e995bdedc6/
SH256 hash:
6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366
MD5 hash:
8758f0d7d50bfd8a4e4e663fedc1b1e3
SHA1 hash:
8b45aa42aafd6e2a51e2721a0b8945a823e10f37
Link:
https://www.unpac.me/results/f21f2d90-441a-460d-9fc2-84e995bdedc6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6f61d466fdb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207844/

Comments