MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
SHA3-384 hash: 0c4f6c5fb292f997dc82137bbc735c4a894b47a6ab54f10b16d57535916538aedbb4e33909d5446a17cd8c76aaf8829b
SHA1 hash: 9a06574b7f9f732cf6265fe0aff4c133c1cb8314
MD5 hash: c252603232987121f642be93e9e39348
humanhash: quebec-yellow-north-cold
File name:c252603232987121f642be93e9e39348.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:675'899 bytes
First seen:2020-11-19 09:18:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d6dd54dbc20ca02e6f52d722b7724da (1 x TrickBot)
ssdeep 12288:6EvuYB/r+XfQzgoIpBPn64nP8MFQwn7tr9scCE2fJC8JicB:hDzzgpVFVt+fXb
Threatray 3'178 similar samples on MalwareBazaar
TLSH A4E4CE12BB91C476CEA2B0304FAAFFA5E2BDAD9D49510D43674827CF0D7C442962E727
Reporter abuse_ch
Tags:exe tar3 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Delayed writing of the file
Deleting a recently created file
Launching a process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/542608
Signature
Allocates memory in foreign processes
Contains functionality to send encrypted data to the internet
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 01:49:30 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o633x54ppiknqcfwdir6u6zjyk6c4pmpv5rlztzulemcomhkilrq._file
Verdict:
malicious
Similar samples:
126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
TrickBot
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed
TrickBot
4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
TrickBot
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
TrickBot
58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103
TrickBot
648d3b8639ff54b8741ec84898b213836594539de6f0c11a6c9f34dccf5e79fe
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16
TrickBot
c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be
TrickBot
ea5c72bce7e028a6b2f9febd90751bf0e323da00b4b0d68be2a52ed21fe2a4d0
TrickBot
+ 3'168 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tar3 banker trojan
Link:
https://tria.ge/reports/201119-5t8zgkdc9n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
102.164.206.129:449
103.131.156.21:449
103.131.157.102:449
103.131.157.161:449
103.146.232.5:449
103.150.68.124:449
103.156.126.232:449
103.30.85.157:449
103.52.47.20:449
Unpacked files
SH256 hash:
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
MD5 hash:
c252603232987121f642be93e9e39348
SHA1 hash:
9a06574b7f9f732cf6265fe0aff4c133c1cb8314
Link:
https://www.unpac.me/results/3e3c8219-cfe5-40ea-bf90-3c5da4db3656/
SH256 hash:
1e7fd8ed2e52ebbc3faa78905b4863e2ac2ae7efa65602d6913f6fbf88e9a134
MD5 hash:
3df3b306cab2e0521b3b572087fe4c0a
SHA1 hash:
b95fe59d10f98f8a9b1b47e7e4aba803e6b576a9
Link:
https://www.unpac.me/results/3e3c8219-cfe5-40ea-bf90-3c5da4db3656/
SH256 hash:
5458f49b6cc29efd54a5a6dd9dc1893d62792b0cdf012937ca32e42a86f3f721
MD5 hash:
0964cbb10ad3b018582fcf53fc11e843
SHA1 hash:
3f5b131856f7619ecdc915a87fac9ed24208f07a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3e3c8219-cfe5-40ea-bf90-3c5da4db3656/
SH256 hash:
1bc5b80cd82132d4918397f66b3123f609c301c9d5f4199cdb36c1c2800a51d9
MD5 hash:
55631beedac06dfdad748dadc2ba3d1f
SHA1 hash:
4e745e567651fbd863aed20d39ca9ffd75e01154
Link:
https://www.unpac.me/results/3e3c8219-cfe5-40ea-bf90-3c5da4db3656/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/831640/
  
Delivery method
Distributed via web download

Comments