MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f
SHA3-384 hash: c513195bee022c02b22621a0bd99fae7e7ce4f0aa3e0f348cf21fe2c5b840f1c7d14c71f596fdab9a8c20ff182037aef
SHA1 hash: 5d27d9996bd655b433d0d40a448058422282221f
MD5 hash: 18abd81a4176d5fc8ebe797574536a3d
humanhash: coffee-freddie-mockingbird-table
File name:18abd81a4176d5fc8ebe797574536a3d.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:528'443 bytes
First seen:2021-09-27 08:30:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 675872e23dfc0f62ffbc2f69c316f4bc (22 x TrickBot)
ssdeep 12288:cbVMh0tRyr3W3SNniM+uwkMx8nXoTT0WJZmo:WMh0tRy13lY8X2xJZmo
Threatray 3'912 similar samples on MalwareBazaar
TLSH T17EB4D03535E08973D16319308EFD07E963B9BCA147B2958F8F902F0D3C7E556A43A2A6
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18abd81a4176d5fc8ebe797574536a3d.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-27 08:47:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63b19147-9b2d-4ea0-ab5b-183a5adb00e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191969/
Detection(s):
Win.Trojan.Trickbot-9896742-0
Create hunting rule

Win.Trojan.Ulise-9896859-0
Create hunting rule

Win.Malware.Trickbot-9896860-0
Create hunting rule

SecuriteInfo.com.Variant.Ulise.303788.23835.9448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73c273fb-ff4b-49cd-8c2c-8fdd17d35c9d
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858823
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491249 Sample: F3Yyj3fF4k.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Trickbot 2->41 7 F3Yyj3fF4k.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 12 wermgr.exe 4 7->12         started        17 cmd.exe 7->17         started        19 F3Yyj3fF4k.exe 10->19         started        21 conhost.exe 10->21         started        process5 dnsIp6 29 179.42.137.110, 443, 49739, 49740 TelefonicadeArgentinaAR unknown 12->29 31 186.4.193.75, 443, 49753, 49754 TelconetSAEC Ecuador 12->31 33 9 other IPs or domains 12->33 27 C:\Users\user\AppData\...\F3Yyj3fF4k.exe, PE32 12->27 dropped 47 May check the online IP address of the machine 12->47 49 Tries to detect virtualization through RDTSC time measurements 12->49 51 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->51 53 Multi AV Scanner detection for dropped file 19->53 55 Writes to foreign memory regions 19->55 57 Allocates memory in foreign processes 19->57 23 wermgr.exe 19->23         started        25 cmd.exe 19->25         started        file7 signatures8 process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 08:31:07 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0a186671477b6796f1df9ba4bca54147761fedf6284a0d88caabe83b8502e684
TrickBot
1846bc537e84c6ad4b8556b51ca0f9fa9e5b4037182fd8350cb9f783caa90d4c
TrickBot
2e2b2b42ca06698c2e034ce202c2d887e86d4b33cb58fa7fbd5930ca87100d03
TrickBot
46401903e85a5c457490a6934ec4dc61fdf28df83af37741e1566a2abb290ecb
TrickBot
7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
TrickBot
9506421d996290f70689559ee0c09cc074c948fff495478dab43f0d320fdaa20
TrickBot
d57ab1032a5e45e83d3b63f0e8baf588393d7f67065b41807184e76d6f962f77
TrickBot
d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
TrickBot
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
TrickBot
f61db22354e7f73c3bdcd0465608a2c27e182426bc1b1cafd3e2e134965fe7eb
TrickBot
+ 3'902 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot153 banker trojan
Link:
https://tria.ge/reports/210927-kep7eagbap/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
70288da56e4da38f23b82ccc9b18f9133f7e38de4290f511cd3ce9030a99a254
MD5 hash:
60e8f1fde88645a2a5d696c780c0473b
SHA1 hash:
e1d291faee4a2e9fcf542731a287eff9a14d4299
Link:
https://www.unpac.me/results/f0f2af9c-4293-40b0-b561-fb50865cb239/
SH256 hash:
ec91224925ed968b98000321cb19249318f6c94ac6e0db61ea1aa3e9de7c846c
MD5 hash:
95044f906bea9dde6bda3e8509a6b4ba
SHA1 hash:
314bb3c71024110d6682caa972c56646d46cbe33
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f0f2af9c-4293-40b0-b561-fb50865cb239/
Parent samples :
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
1846bc537e84c6ad4b8556b51ca0f9fa9e5b4037182fd8350cb9f783caa90d4c
2e2b2b42ca06698c2e034ce202c2d887e86d4b33cb58fa7fbd5930ca87100d03
46401903e85a5c457490a6934ec4dc61fdf28df83af37741e1566a2abb290ecb
8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f
9506421d996290f70689559ee0c09cc074c948fff495478dab43f0d320fdaa20
c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
bca7a1fb84234ecba4c9c23ea3ed640d59b8be481197a76fa2c830ad1344a322
67ddef66c6c896706289e9797649228a86ffd88cb208662ecdeb8dbf8a937b18
SH256 hash:
0ff069b25042fd7e2ac4fbf679ca0b67422935151e206963c3604279778e734f
MD5 hash:
0c4ca73d1c8cac20bd22aaaf5b5f3516
SHA1 hash:
774eb679c995bf92ec9ca0d5078f769d9f3c3409
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f0f2af9c-4293-40b0-b561-fb50865cb239/
SH256 hash:
8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f
MD5 hash:
18abd81a4176d5fc8ebe797574536a3d
SHA1 hash:
5d27d9996bd655b433d0d40a448058422282221f
Link:
https://www.unpac.me/results/f0f2af9c-4293-40b0-b561-fb50865cb239/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8153e737558e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1641958/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191969/

Comments