MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f
SHA3-384 hash: ae6c2e652b8cde8a0005381ddca64a1279309838fb28a53ba59814f0e84c892b67f3f1cbaa9e0704c9710f208b37c48e
SHA1 hash: 421ee7f7b24ca6868abd8c7434a6260929f5b94a
MD5 hash: 920bd9567bb3fcd1f8cfa26464aedcf2
humanhash: solar-hotel-pizza-lima
File name:74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f
Download: download sample
Signature TrickBot
Create hunting rule
File size:339'014 bytes
First seen:2022-03-14 17:39:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash acc7cb5c088e5e812428757b6de0ef91 (1 x TrickBot)
ssdeep 6144:8cYHkpby5TL02YqasYicwzY0Z0SHLuAY5Jpw0D4t:8cYHkdyDlhpYo0gLPcJ9G
Threatray 1'371 similar samples on MalwareBazaar
TLSH T1BC747C3772D124EBD2B6A73B8B337744A337F8655AF69B8B123445564E732838D28E10
Reporter Anonymous
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250313/
Detection(s):
SecuriteInfo.com.Variant.Bulz.312399.22471.18922.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay shell32.dll
Link:
https://www.filescan.io/uploads/622f7df8dfdfa8501c9f27e5/reports/37fb4fca-1d6b-4ec4-bf07-1a628783adab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rozena
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e5c555f-fbbf-4770-80f5-73831eafaef5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/956385
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Self deletion via cmd delete
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588867 Sample: kqlGQW3d67 Startdate: 14/03/2022 Architecture: WINDOWS Score: 96 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Machine Learning detection for sample 2->65 67 2 other signatures 2->67 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 rundll32.exe 9->14         started        16 rundll32.exe 9->16         started        18 4 other processes 9->18 signatures5 75 Self deletion via cmd delete 11->75 77 Writes to foreign memory regions 11->77 79 Allocates memory in foreign processes 11->79 20 mstsc.exe 1 11->20         started        23 cmd.exe 1 11->23         started        81 Creates a thread in another existing process (thread injection) 14->81 83 Injects a PE file into a foreign processes 14->83 25 mstsc.exe 14->25         started        27 cmd.exe 14->27         started        29 mstsc.exe 16->29         started        31 cmd.exe 16->31         started        33 rundll32.exe 18->33         started        35 cmd.exe 1 18->35         started        37 2 other processes 18->37 process6 signatures7 69 Contains functionality to inject threads in other processes 20->69 39 conhost.exe 23->39         started        41 timeout.exe 1 23->41         started        43 conhost.exe 27->43         started        45 timeout.exe 1 27->45         started        71 Opens the same file many times (likely Sandbox evasion) 29->71 47 conhost.exe 31->47         started        49 timeout.exe 1 31->49         started        73 Self deletion via cmd delete 33->73 51 cmd.exe 33->51         started        53 conhost.exe 35->53         started        55 timeout.exe 1 35->55         started        process8 process9 57 conhost.exe 51->57         started        59 timeout.exe 1 51->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f/
Threat name:
Win64.Hacktool.Bulz
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 17:40:13 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
13 of 42 (30.95%)
Threat level:
  1/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
2742cfe802405a6fec11b086434a4870f493b6931fd427b8b01ca797ca80732e
TrickBot
42421c08872fa9a261dfe3184f7747d224ed3deb2c0420bbb2ce8f00387fd258
TrickBot
5906182e34caa4c37339e8d87cb46c9b9788088450d8a4b7c2052db5dbb8d174
TrickBot
a1457e7a591877c3732325e462c479a450b19bda91ecaca0a37cdb137ed152ae
TrickBot
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
TrickBot
cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13
TrickBot
e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
TrickBot
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
TrickBot
fc1b7bced544df8bcc71b729d5574092bf2e96660498a919fcc7f420c1c0ccc7
TrickBot
fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
TrickBot
+ 1'361 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220314-v8wldscebk/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f
MD5 hash:
920bd9567bb3fcd1f8cfa26464aedcf2
SHA1 hash:
421ee7f7b24ca6868abd8c7434a6260929f5b94a
Link:
https://www.unpac.me/results/3b4fbcf4-8783-4070-93a2-793e3980d403/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74e715ab7d6fc63775301ab87d959bcbc0af17ce3fe4eb36547392082935a77f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250313/

Comments