MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20
SHA3-384 hash: 624c342c6352a27972281e57a4a1a3f7e2c6864778ee49b5db3656c51e540cef21b61fa66324b16b3979704d61c97a2b
SHA1 hash: 17f6454a34cf6923c573693f614b214c14b3b03a
MD5 hash: d6e22dcd5f81671da7c4a1191d480c63
humanhash: pasta-south-cat-football
File name:d6e22dcd5f81671da7c4a1191d480c63
Download: download sample
Signature TrickBot
Create hunting rule
File size:507'904 bytes
First seen:2021-10-05 07:16:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e38afb91bac491f7825e4d9386ac015b (4 x TrickBot)
ssdeep 12288:J1YWEJFGqCu7+K+1A8uKQfL/g8g54yXsJ/20V/YnOcy:J1YWEJFGqd7+ubgNtsJ/5i5y
Threatray 1'052 similar samples on MalwareBazaar
TLSH T1BBB4F10277D584B3DA62643209EAA77AB774BD554A32CF87A354FF0CDC31240993B36A
File icon (PE):PE icon
dhash icon 02505e151a0d0008 (5 x TrickBot)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d6e22dcd5f81671da7c4a1191d480c63
Verdict:
Suspicious activity
Analysis date:
2021-10-05 07:17:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ad48d24-15f5-409c-b3b1-0a09c63280ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194916/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16730.20044.8092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/615c0697b95458900cdc5f43/reports/d3803e3b-bba7-4599-92df-a2e6661fc1e9/overview
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b196f949-39fe-4dca-963c-fd85c22de39c
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/864523
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 07:16:17 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbdhguwxanbcjvzkpbdodtrbaljlpyy2vboxeobwstelyumtp4qa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
46401903e85a5c457490a6934ec4dc61fdf28df83af37741e1566a2abb290ecb
TrickBot
49e61873c2864b4a39bfb6c520ea9644d1b38088cd11a6d0f2f6ced91b793856
TrickBot
5787c6b7af7d648a2dd1caae5a73e9c92c38c061edb282d4189e51d5e2a79c49
TrickBot
830bcde611388becedda291ae07594e0c1fde7f2e9ad2737a565e03b928888e2
TrickBot
83f374f57d674ac1abf87f968ba37237e5403bcae01ded47b7a912c4c5a58163
TrickBot
be73990affb5a559127094b6869889e821b872eeb774940af74b44ee3b503054
TrickBot
d423f00832f44b4195a686c691b2f20e55bd4c31145a43561f83f1ea661bfc60
TrickBot
d76bcc765a822ded81cf1518ab3d65e08cc42ccf946d9381d1115934abe6fed5
TrickBot
def94d349e3c5637e40dcf603fd7c41d8807f13c0804bea48f1e098fd7629578
TrickBot
f61db22354e7f73c3bdcd0465608a2c27e182426bc1b1cafd3e2e134965fe7eb
TrickBot
+ 1'042 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib158 banker trojan
Link:
https://tria.ge/reports/211005-h3t46ahdb8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
5a9be4eaf09608265f1453327b6f5d3936061c1a5de7ea51b9dc05898d7134fb
MD5 hash:
6133558624bb2cba20f13bff119d8329
SHA1 hash:
a650f5f7c81fe831830b0638ee899aa7ba0d4cf2
Link:
https://www.unpac.me/results/31ab2145-430e-4f23-90ba-c6f12f0c8157/
SH256 hash:
54c7beba95c3e2faed426b0f0ef2a40db8dc525b1b09faa70d6c445a3bbd0c4d
MD5 hash:
e734d9cb9b35de8e5487522fcc4de04f
SHA1 hash:
75c1c4b668c09727959cb227654dcc41e9904ea8
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/31ab2145-430e-4f23-90ba-c6f12f0c8157/
Parent samples :
78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20
f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18
SH256 hash:
1a8ebe5819afa0462047bfde05715cec279a6a6bdf28323edc12f82bf3982548
MD5 hash:
ecba0b2635ef500288d868912196f86c
SHA1 hash:
730f00f6252179fa05704906ba5cba782c7d8c26
Link:
https://www.unpac.me/results/31ab2145-430e-4f23-90ba-c6f12f0c8157/
SH256 hash:
78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20
MD5 hash:
d6e22dcd5f81671da7c4a1191d480c63
SHA1 hash:
17f6454a34cf6923c573693f614b214c14b3b03a
Link:
https://www.unpac.me/results/31ab2145-430e-4f23-90ba-c6f12f0c8157/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/78467352d703/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194916/

Comments


Avatar
zbet commented on 2021-10-05 07:16:02 UTC

url : hxxp://51.195.192.116/images/eflyairplane.png