MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4
SHA3-384 hash: 45609a4eafd0c544a0de0add8542f3e8deb638dbd5b8260ab3e7371a7effa19fe96b38ea9b0c2c5f2d72a177c0b3721b
SHA1 hash: 7cc61af016ec8c930ce18d1b9d0a32657f35d165
MD5 hash: 138925da4d5bf0ce59d0a63512e5fd12
humanhash: comet-quebec-oven-asparagus
File name:138925da4d5bf0ce59d0a63512e5fd12.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:647'168 bytes
First seen:2021-10-07 08:45:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96459f3ac5474c1f5d7b0f19d0d0d7ca (4 x TrickBot)
ssdeep 12288:SeDQXlHsrpApiu2YOMrnnRY2Lx1yZR9qVa:nKlHsrpAHEMjDT44Va
Threatray 4'139 similar samples on MalwareBazaar
TLSH T181D4D052BBD0C876C9A311320EE29B3567FDED115B228BC757D45E1EACB26C08E36316
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
138925da4d5bf0ce59d0a63512e5fd12.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-07 08:46:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/912d649e-9c52-4f5f-9cb1-3b74bb70db30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195705/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/615eb3cb98a6280f393382ea/reports/c7e31eeb-cea8-47c9-bb6e-c7e9d98d2806/overview
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/866167
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 02:29:42 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
3cff8842d7b2da479a8dcd6c930706d2df7550f9931cefdc94979f03d256f718
TrickBot
6b5e36ec4ea2340e436834152936879db405fecf701801d88cbb6ca200fc5f19
TrickBot
728aff0d54df55bd4ed10a1c02c165e86310503cf82bd4c2d6b4b2a0a383dabd
TrickBot
78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20
TrickBot
790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7
TrickBot
98190daef6fabe0513518943ffbc9abcaf4dd7c0bfd37bc996fbbe261d831b3c
TrickBot
9ef22f6e73a5eae7a8d1f9fb682e18a413d3081f418238ad16c682d662fb12e9
TrickBot
acf725f1ade6bcadcb9f0ded2d0ad8e6cac553a19acbaf67dd95c133623594e4
TrickBot
cc70ac8b26533957b1e85c73a31e5a141b6cf7b73111a04e53a48ebf0e615415
TrickBot
decd474e4c808ac1a3255e1b6aecab359028bbadb6852f9ff70b33fdea648978
TrickBot
+ 4'129 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot159 banker trojan
Link:
https://tria.ge/reports/211007-kpajpscaf4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
4434646e062e73bd79f6afb2ea8981d0f7cd838343e776d46e2cb3592216cd83
MD5 hash:
325fa20904170c78dbaba9d18e13a968
SHA1 hash:
d7d71e30a365b8064b5d07529a1694776bdde9f9
Link:
https://www.unpac.me/results/2f38c9b9-d217-4d1d-810f-95a8ae426496/
SH256 hash:
c0feeda957a22edd29aec47be67682e2f4e27a3caefe59eb0d7f05af6fd0de2c
MD5 hash:
72c26a8f385c8941dd42a864b580513b
SHA1 hash:
20ec16d52b4964dc431b3841a784dfa112712d61
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f38c9b9-d217-4d1d-810f-95a8ae426496/
Parent samples :
acf725f1ade6bcadcb9f0ded2d0ad8e6cac553a19acbaf67dd95c133623594e4
9ef22f6e73a5eae7a8d1f9fb682e18a413d3081f418238ad16c682d662fb12e9
790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7
728aff0d54df55bd4ed10a1c02c165e86310503cf82bd4c2d6b4b2a0a383dabd
3cff8842d7b2da479a8dcd6c930706d2df7550f9931cefdc94979f03d256f718
6b5e36ec4ea2340e436834152936879db405fecf701801d88cbb6ca200fc5f19
76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4
SH256 hash:
1d550c158d5792d5f3a46dcf3aa884821afae0c1bcd1dcebaaeb92a71a108f44
MD5 hash:
09b3afcb2d6ac1385be79f8754fe15a1
SHA1 hash:
90460cf7ba0beca3af9dc7d7b9adc46b2da76e65
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f38c9b9-d217-4d1d-810f-95a8ae426496/
SH256 hash:
76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4
MD5 hash:
138925da4d5bf0ce59d0a63512e5fd12
SHA1 hash:
7cc61af016ec8c930ce18d1b9d0a32657f35d165
Link:
https://www.unpac.me/results/2f38c9b9-d217-4d1d-810f-95a8ae426496/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76e78467254c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1655281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195705/

Comments