MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cfa85e9c1bed641e7377f9d9730869a232979754f06667a365f50644b83035b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cfa85e9c1bed641e7377f9d9730869a232979754f06667a365f50644b83035b
SHA3-384 hash: c09261822d2d8997653bc2d80da8d2bc1a464d5c3675b2e7125f19747efddb6cde89319b4ac035c7c7bf61dd1cdfcecc
SHA1 hash: 7ca53dac2d3bbaaf716d2f635fde8a1af678e9c3
MD5 hash: f6f130bacb418e4c30414ec838a688ad
humanhash: alanine-michigan-georgia-sodium
File name:SecuriteInfo.com.Win32.GenKryptik.EGRP.24755
Download: download sample
Signature TrickBot
Create hunting rule
File size:757'760 bytes
First seen:2020-03-20 21:12:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c4a79f174042c3a1f97d933ba3a4dce (2 x TrickBot)
ssdeep 12288:8rfrCCL3rPv3Jzxln3s5u9wKn8XfQzSYmqHv4SfTZ7bAqW:gv3rPfJzxlc5u9h8vQzNmqhLZvAqW
Threatray 2'725 similar samples on MalwareBazaar
TLSH 81F49E63F5F2C0B6E0B562F11D418BB4527AFAD46D2989A33BE22B0DC9352F1467D381
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.GenKryptik.EGRP.24755.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-21 02:42:20 UTC
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
emotet
Create hunting rule
Similar samples:
34df4fec6798befd9aa30d72fe35f258f36e70e787cc1a8554de86ba8632a312
TrickBot
497eebb26dbf500508b344dec05bbadb1e0421d77be6defc150bce9f88ea37b9
TrickBot
764553cbeade2cc41c018b08fb22381a32a6c475b86353458d8fbc1aab86afeb
TrickBot
76edf0ebea99cf07ff5bb900193c4efa05e971c2bc2097ec70d5e54ad7b3dce8
TrickBot
814c1770aa6e418212eeec6a5170a1aba281370750bb22d040acfec544cb34e3
TrickBot
8deba9fb53096d6ea5e2090b662244293829096eee03d06108deb15e496a807e
TrickBot
c2d499169a652c5c86ef28b7dca25f23e986bdd93b23fe02115923f698d61b58
TrickBot
da995f78d6ba4f7acab4a421e759cc15d2a3b8ca5549edd76605252e410d65ac
TrickBot
de064838cb87ab944c6a43f9ccfe42875ec2d4e0de7ecb3d61b92d3dcb44c5a9
TrickBot
f8b31cf177d5a4de939ee8c19d629df9548ac33721c47c66d71bc376922ec259
TrickBot
+ 2'715 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cfa85e9c1bed641e7377f9d9730869a232979754f06667a365f50644b83035b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 7cfa85e9c1bed641e7377f9d9730869a232979754f06667a365f50644b83035b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/327775/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments