MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7
SHA3-384 hash: 020347d37a79877c31f2f88132219a1e801f9b61f108fcdd212bf12f8ff93f8d8175c16f55c995fe42f979318efdb1e7
SHA1 hash: aaec414cd14afb803b63477819cc91f1119375dd
MD5 hash: bc1fabbc7e42df40088602c2d317a073
humanhash: floor-high-stream-football
File name:bc1fabbc7e42df40088602c2d317a073.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:753'664 bytes
First seen:2021-10-05 17:22:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f4296a776e183d43c9748b7869d4228 (9 x TrickBot)
ssdeep 12288:dBx+M4F6CM2pEbihXZGrVTrtz0rAK97lF/ACLy/Yw:dn4gCM2GMXAZK97H4CLyQw
Threatray 4'054 similar samples on MalwareBazaar
TLSH T1DBF4BD0631C0D07AD5E221F1CED1EB295AF99E928B290FCB7B90F91E6E366C04437756
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
458
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc1fabbc7e42df40088602c2d317a073.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-05 17:45:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0bdf6af-2588-4c7d-b6cd-89ba02404bdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195164/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.17532.18320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/615c89f9e3d213d202b7afc9/reports/6db84d0b-5ebe-4a35-9565-bd4118bec5c3/overview
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d71b7e1-2cd2-4ab0-8582-b057aabee85e
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/865017
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 17:23:07 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
3816e3845184a41e9c7a1bcb9dacd089e712f72fff6f44ab4d55d563b0177652
TrickBot
3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e
TrickBot
473dfbecc3818114569a9a9f80b0a51ad74b3d88fa778158ab145e839ecb042c
TrickBot
474fcb16f50018e645e155ca03a096d2b8af685e528de42e1c3eadb7a020dde1
TrickBot
5e246d1722c944c3942739a0502fd70e192a29fe20dcbe90a46b69c4f40c4e67
TrickBot
5f98da253ec5d1ffbbe07b9ee727a8d8162911b70d59d905f2a2f52579f524d2
TrickBot
9a5d5f4144492833b2f5368bf39154e0a5d60914afccbfde1db93cf0cd9db000
TrickBot
9ef22f6e73a5eae7a8d1f9fb682e18a413d3081f418238ad16c682d662fb12e9
TrickBot
acf725f1ade6bcadcb9f0ded2d0ad8e6cac553a19acbaf67dd95c133623594e4
TrickBot
c9a17531e2ae6361f893390f51295609f4a2fde60927a9afeac9a9e0c4fc2660
TrickBot
+ 4'044 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot159 banker trojan
Link:
https://tria.ge/reports/211005-vx6l8aabe3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
14ebe391b5c3b3ca0ed5c108760a61a22e5778285ff78155325a1ba549f77bb8
MD5 hash:
c3b5502ed5aaef9753a310397c886e8e
SHA1 hash:
71656be51cc995f4a0a35a6eea64123a18ad22f1
Link:
https://www.unpac.me/results/e4a16f8a-8381-42f2-9949-3c112f804fc2/
SH256 hash:
c0feeda957a22edd29aec47be67682e2f4e27a3caefe59eb0d7f05af6fd0de2c
MD5 hash:
72c26a8f385c8941dd42a864b580513b
SHA1 hash:
20ec16d52b4964dc431b3841a784dfa112712d61
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e4a16f8a-8381-42f2-9949-3c112f804fc2/
Parent samples :
acf725f1ade6bcadcb9f0ded2d0ad8e6cac553a19acbaf67dd95c133623594e4
9ef22f6e73a5eae7a8d1f9fb682e18a413d3081f418238ad16c682d662fb12e9
790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7
728aff0d54df55bd4ed10a1c02c165e86310503cf82bd4c2d6b4b2a0a383dabd
3cff8842d7b2da479a8dcd6c930706d2df7550f9931cefdc94979f03d256f718
6b5e36ec4ea2340e436834152936879db405fecf701801d88cbb6ca200fc5f19
76e78467254c1222cf7d03484a2584a707fdcaa9ffcab2b7323a2958c72667f4
SH256 hash:
a321bc3e11956af98e3505ccdcae109350354822d77b56025073581a93c4fa72
MD5 hash:
b8c3bd2f2b24cbd0ab8f18e23004923a
SHA1 hash:
d64eefc97ecc600f6fc894e00a9d1d29e9056679
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/e4a16f8a-8381-42f2-9949-3c112f804fc2/
SH256 hash:
790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7
MD5 hash:
bc1fabbc7e42df40088602c2d317a073
SHA1 hash:
aaec414cd14afb803b63477819cc91f1119375dd
Link:
https://www.unpac.me/results/e4a16f8a-8381-42f2-9949-3c112f804fc2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/790769e6e3eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 790769e6e3eb9d2d5d70b03c8d5e0728e954a2bcdd3625b87fd3366b961b90a7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1655281/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/195164/

Comments