MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e
SHA3-384 hash: aa5a19376140d70564e36c29f2d2d48f6426f470dc9760d13911f37621dd79a424d5245abedee9f1c51124153be70e03
SHA1 hash: 439c361150cfe68da4ae41454f0c3e2a7866ca8b
MD5 hash: 28f8e4132da9fb78e90f68e9ddaf0c93
humanhash: seven-yellow-california-mobile
File name:28f8e4132da9fb78e90f68e9ddaf0c93.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:453'632 bytes
First seen:2021-10-27 11:49:07 UTC
Last seen:2021-10-27 13:27:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea5a56b411909a74a5afb4f0920c62b1 (4 x TrickBot)
ssdeep 6144:Cm18XMqwPrNX4ZU+GREB+n/MnzHq6b47w6dHU0QpNGjak9hgqEXGGy:j1r1rNX4ZTGR7nuzHdMk6duNeZAGF
Threatray 1'121 similar samples on MalwareBazaar
TLSH T127A4F11136C0C076F0731279CDE9A676863ABC715F2469DBB7C51BAE0F792D0AA38247
File icon (PE):PE icon
dhash icon 115060f4f0f972b0 (4 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200495/
Detection(s):
SecuriteInfo.com.Variant.Zusy.405052.11110.25640.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware trickbot wacatac zusy
Link:
https://www.filescan.io/uploads/61793ceddb358dd15edf9f8a/reports/7f740b59-c9bb-41f3-a009-e29df64ba8d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f7ea3d4-b7a4-4b23-90e5-e0d099817d06
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/877704
Signature
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 11:50:07 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
TrickBot
45b7ef5a55cbcddb1f21415450ee982ebdafac1cf3a57e62acb8d014bc797dfc
TrickBot
6db7642e42467842b97947426d78418e58c1e0b25f125ce0faa8bfa6436a70b2
TrickBot
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
TrickBot
9890dddc8087d395c5eab7410880b35d3e790d11ab08f2b4a039818e814f21ed
TrickBot
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
TrickBot
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
TrickBot
+ 1'111 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lip141 banker trojan
Link:
https://tria.ge/reports/211027-nzllhaefc3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
6968385a375a1818cf0cf2ed3f64b023d28e4aee504210dd679c49e41698da02
MD5 hash:
3cb1f3b3c420530739c507eb962ce89a
SHA1 hash:
d997bd487154aab136f6aa503ad585cfae872279
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/869fc362-d466-4c21-b6cc-2e1cc98467b2/
Parent samples :
784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e
061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565
SH256 hash:
784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e
MD5 hash:
28f8e4132da9fb78e90f68e9ddaf0c93
SHA1 hash:
439c361150cfe68da4ae41454f0c3e2a7866ca8b
Link:
https://www.unpac.me/results/869fc362-d466-4c21-b6cc-2e1cc98467b2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/784b92117e7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/200495/
  
URLhaus
https://urlhaus.abuse.ch/url/1698135/
  
Delivery method
Distributed via web download

Comments