MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852
SHA3-384 hash: 487e7ead3ff3f7afe71b419c1b704dc23ece4656febad8ff46afbf8e4a2b8eb52b8c0b974f8cb434b52c895b399dbdde
SHA1 hash: 94ae964cbfcc06246bdb1407315059b9eb84ee43
MD5 hash: 7dfb148ff794dde58c7ab55d93b0112c
humanhash: seventeen-spring-kitten-queen
File name:7dfb148ff794dde58c7ab55d93b0112c.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'348'337 bytes
First seen:2021-11-20 10:58:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:OQLny3OiG7O5fWcmCM4jBg0nWDqVXF1/Vz897cDH6WboJVIb90IrWH:OQLy3Z5ecmCMqhnllLNgIHjbiIb9EH
Threatray 932 similar samples on MalwareBazaar
TLSH T1E455EF337CAC475DC8901B73CD93E27216AE2E5B5AF2C14A50F66F878BF01989016F5A
dhash icon 00ccf0d4ccd0dc00 (4 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
860
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7dfb148ff794dde58c7ab55d93b0112c.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-20 11:01:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/273958ea-66d0-4eba-b1fd-6c9ad4f0b4d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Trojan.Generic-9822957-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.MSIL.Krypt.11.1240.9175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
alien conti overlay packed strictor
Link:
https://www.filescan.io/uploads/6198d4f8d0c3a45787fb2f55/reports/012b027b-0cf9-4403-b02d-112f94977697/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b42dfcb8-a079-48d5-84c5-2cf6010dea0b
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/893088
Signature
Antivirus / Scanner detection for submitted sample
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample is not signed and drops a device driver
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525561 Sample: 6UrUHZ5xVB.exe Startdate: 20/11/2021 Architecture: WINDOWS Score: 96 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Trickbot 2->58 60 2 other signatures 2->60 10 6UrUHZ5xVB.exe 1 6 2->10         started        14 rundll32.exe 2->14         started        process3 file4 48 C:\Users\user\AppData\Local\...\Appare.sys, data 10->48 dropped 76 Sample is not signed and drops a device driver 10->76 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        signatures5 process6 signatures7 21 cmd.exe 2 16->21         started        25 conhost.exe 16->25         started        27 certutil.exe 2 16->27         started        62 Obfuscated command line found 18->62 64 Uses ping.exe to sleep 18->64 66 Drops PE files with a suspicious file extension 18->66 68 Uses ping.exe to check the status of other devices and networks 18->68 29 conhost.exe 18->29         started        process8 file9 46 C:\Users\user\AppData\Local\Temp\...\Tua.com, PE32 21->46 dropped 70 Obfuscated command line found 21->70 72 Uses ping.exe to sleep 21->72 31 Tua.com 21->31         started        33 PING.EXE 1 21->33         started        36 certutil.exe 2 21->36         started        38 findstr.exe 1 21->38         started        signatures10 process11 dnsIp12 40 Tua.com 31->40         started        50 127.0.0.1 unknown unknown 33->50 process13 dnsIp14 52 rrrioYNbTRzfc.rrrioYNbTRzfc 40->52 74 Injects a PE file into a foreign processes 40->74 44 Tua.com 1 40->44         started        signatures15 process16
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 01:46:43 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o422av4r7hennhtccg45lxzevbjpz57g5c5oq5xuvqjgai6ffbja._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
TrickBot
1a5d1d3d58f829e1447df95583770da8106382f32ebced394eccda36a921bdf5
TrickBot
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
TrickBot
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
TrickBot
97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27
TrickBot
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
TrickBot
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
TrickBot
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
TrickBot
d561dfe74cc927428dad121c5a8d60f0289a43382e6130bc72a6b34c000b9b9b
TrickBot
d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
TrickBot
+ 922 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob1 banker persistence trojan
Link:
https://tria.ge/reports/211120-m3d56acfgp/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
85.204.116.83:443
91.200.100.143:443
83.151.14.13:443
107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
207.246.92.48:443
216.128.130.16:443
45.79.126.97:443
45.79.155.9:443
45.79.212.97:443
45.79.253.142:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
Unpacked files
SH256 hash:
d99145ab93f2f32ed3a553992213cdd23f9cd869e74665e449f55b7b4a461c8f
MD5 hash:
cb4e827ff80fc7cc0ad57315f808df3a
SHA1 hash:
f86a836c9fc6a7b1f4273cb575c5244d955b0fb3
Link:
https://www.unpac.me/results/bd628278-65f2-447a-9d69-8e0fd701cde8/
Parent samples :
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
d477322f8d90be3d37d78ab73d97d59e0ae6ca7ac32e2fdefd5668f67cb1fb62
bb932056cae8940742e50b4f2b994a802e703f7bc235e7dd647d085ae2b2baf7
39f3698e7359c0a93122897138c050ecb0b71d71843f68ba8d05a9ed7e7cb67b
d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a
774368536ee17949132b38f6067b9b6aea5362c1f23fb06410b4e8cec4c2ed5c
bb653dddd858f686a07ac236a6098d9da8dcb8524aedc8da2cb5a6f084cbfebc
edc325712bb62fcd4fe96f6bf63559449b9158b816768a8122dad070e8aaf44e
06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437
59a0f409289061eed9d13f294a5d63cf1f72dafb7302272b935aba711a0d1870
9fa64c90a5f724bb282934ee693fac3b8f82a7a08039d52946904262f8d2ec6a
645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d
SH256 hash:
7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852
MD5 hash:
7dfb148ff794dde58c7ab55d93b0112c
SHA1 hash:
94ae964cbfcc06246bdb1407315059b9eb84ee43
Link:
https://www.unpac.me/results/bd628278-65f2-447a-9d69-8e0fd701cde8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7735a05791f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207766/

Comments