MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
SHA3-384 hash: fb8f3e6da7103f865fd9e13083b7d2af7f3fdf3f375332006b89252820f45c0bb7e0da917fe974ebf4fba32354e8f8a8
SHA1 hash: 6d4d301594ba01b9e4d8eac59dc839090f090fdf
MD5 hash: 051c20fd814ac34ffcfadd56ec872be0
humanhash: gee-romeo-texas-oranges
File name:051c20fd814ac34ffcfadd56ec872be0.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:528'443 bytes
First seen:2021-09-25 08:02:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 675872e23dfc0f62ffbc2f69c316f4bc (22 x TrickBot)
ssdeep 12288:cbVMh0tRyr3W3SZniM+uwkMx8nXoTT0WJZmo:WMh0tRy53lY8X2xJZmo
Threatray 3'901 similar samples on MalwareBazaar
TLSH T149B4D03535E08973D16319308EFD07E963B9BCA147B2958F8F902F0D3C7E556A43A2A6
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
051c20fd814ac34ffcfadd56ec872be0.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-25 08:16:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/445283ad-b5ed-4775-aec0-182a6022821a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191360/
Detection(s):
SecuriteInfo.com.Variant.Ulise.303788.23835.9448.UNOFFICIAL
Create hunting rule

Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfb0c982-eab0-4c87-9225-a91ac16c4045
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857831
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490261 Sample: vXVHRRGG7c.exe Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Trickbot 2->41 7 vXVHRRGG7c.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 12 wermgr.exe 4 7->12         started        17 cmd.exe 7->17         started        19 vXVHRRGG7c.exe 10->19         started        21 conhost.exe 10->21         started        process5 dnsIp6 29 179.42.137.102, 443, 49692, 49693 TelefonicadeArgentinaAR unknown 12->29 31 179.42.137.105, 443, 49704, 49705 TelefonicadeArgentinaAR unknown 12->31 33 9 other IPs or domains 12->33 27 C:\Users\user\AppData\...\vXVHRRGG7c.exe, PE32 12->27 dropped 47 May check the online IP address of the machine 12->47 49 Tries to detect virtualization through RDTSC time measurements 12->49 51 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->51 53 Multi AV Scanner detection for dropped file 19->53 55 Writes to foreign memory regions 19->55 57 Allocates memory in foreign processes 19->57 23 wermgr.exe 19->23         started        25 cmd.exe 19->25         started        file7 signatures8 process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 08:03:11 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkrbkskzjhtsdonorm5srs3srlb3gjaehdth6lge6o7coeot2mmq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
TrickBot
3533489809de87c678e6f04202f369e771de084c3e41d363a6879cc46f2423a7
TrickBot
447f81782c5ec0ddd591a39b3312adacfca17ea97a161646f54ae7f3de334398
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
c5529c964e7362a3ae3ffd0230d73253a491a38f70d2e88cc42abe8a246075b1
TrickBot
dd3b410927a1c9ee86cc61e70378c37f6cb9285f1da01ab0a07a182bfd4906aa
TrickBot
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
TrickBot
f61db22354e7f73c3bdcd0465608a2c27e182426bc1b1cafd3e2e134965fe7eb
TrickBot
+ 3'891 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot153 banker trojan
Link:
https://tria.ge/reports/210925-jxqp8aafgq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
70288da56e4da38f23b82ccc9b18f9133f7e38de4290f511cd3ce9030a99a254
MD5 hash:
60e8f1fde88645a2a5d696c780c0473b
SHA1 hash:
e1d291faee4a2e9fcf542731a287eff9a14d4299
Link:
https://www.unpac.me/results/8f6ce034-25b7-4141-aa7e-47609229a6ae/
SH256 hash:
ec91224925ed968b98000321cb19249318f6c94ac6e0db61ea1aa3e9de7c846c
MD5 hash:
95044f906bea9dde6bda3e8509a6b4ba
SHA1 hash:
314bb3c71024110d6682caa972c56646d46cbe33
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8f6ce034-25b7-4141-aa7e-47609229a6ae/
Parent samples :
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
1846bc537e84c6ad4b8556b51ca0f9fa9e5b4037182fd8350cb9f783caa90d4c
2e2b2b42ca06698c2e034ce202c2d887e86d4b33cb58fa7fbd5930ca87100d03
46401903e85a5c457490a6934ec4dc61fdf28df83af37741e1566a2abb290ecb
8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f
9506421d996290f70689559ee0c09cc074c948fff495478dab43f0d320fdaa20
c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
bca7a1fb84234ecba4c9c23ea3ed640d59b8be481197a76fa2c830ad1344a322
67ddef66c6c896706289e9797649228a86ffd88cb208662ecdeb8dbf8a937b18
SH256 hash:
fa1fbb905632b46c1c2b1b7371c111d3a7e49b3aeb234ea0732ac61ef641a41a
MD5 hash:
3d7a28670e2b39cb345163d1d00d62a9
SHA1 hash:
bf7ee018116963f15839c020fe95f53155b70908
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8f6ce034-25b7-4141-aa7e-47609229a6ae/
SH256 hash:
7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
MD5 hash:
051c20fd814ac34ffcfadd56ec872be0
SHA1 hash:
6d4d301594ba01b9e4d8eac59dc839090f090fdf
Link:
https://www.unpac.me/results/8f6ce034-25b7-4141-aa7e-47609229a6ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7aa215495949/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1641958/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191360/

Comments