MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77
SHA3-384 hash:	1b461870c2117e334caba4f0afdd568e016dc11b67db5b508af3eef92f7fbc6cce26257465d72111ccee72e2f5537900
SHA1 hash:	9e92535dc7bcdd7bf677a643f90ee730784edfc6
MD5 hash:	7773c8164949a42936c4d1374cf16284
humanhash:	paris-hydrogen-california-delaware
File name:	3.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	442'368 bytes
First seen:	2023-08-24 07:07:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b3e900583a5149b2521fc2954714dad0 (3 x TrickBot)
ssdeep	6144:K7SsTkhdodKqFnpNB0ZBPpYbDhk2N+mBN0fmWbli/eQ8CAFCKz62bxMP7RTitG:WmhdSHZoY/y2MM0fm6lfQIR62lM9iA
Threatray	1'760 similar samples on MalwareBazaar
TLSH	T184947C0D32A0847FE16524B0886B6BA45160ADBCAE72D737BF58B54BFD317C6513323A
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	aeb29292daccb48a (1 x TrickBot)
Reporter	dancho_danchev
Tags:	conti conti ransomware exe Ransomware TrickBot win.conti

Intelligence

File Origin

# of uploads :

# of downloads :

1'097

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

123c69e0-6348-43ad-ae38-deaf50daafa5

Verdict:

Malicious activity

Analysis date:

2022-03-01 21:19:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/172014bb-2cd1-4ea3-968d-e45717784fc8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/444408/

Detection(s):

SecuriteInfo.com.Exploit.ShellCode.26.11651.7264.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file in the %temp% directory

Launching a process

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/108433/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CursorPosition

CheckCmdLine

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Trickpak

Link:

https://www.hybrid-analysis.com/sample/81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77

Malware family:

Emotet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cce9d5e7-0d46-416e-8bcb-6ba8c6bb54a4

Result

Threat name:

Trickbot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1296413

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Delayed program exit found

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2022-03-02 00:16:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qh5iuo64iuw5fmtzwyp63ex6qplf4zioa26kt3sn7t4zdjfftz3q._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

0d94462f293a6a366797348ae505498819f598a7e406678d904064a0a4849f98

TrickBot

55109a2a108c6539ef4528f9b5fe35ccfae40f86c9595f9b47e923e532d7331f

TrickBot

583e2b0cb3e97254796a4e4bd6887e4e971dfc8e97c009a6cff84444d01fb237

TrickBot

5b044f718cd5d6a2520d25c33b88f647a27b853d01fdeec1a788f15c68950405

TrickBot

734b259f20b4989df93555fde599b5ea9375a7c10f9e6abadb856bfe54343ec1

TrickBot

912790d045d0e672bfb1069b453c50e22f1ab7b5d728c364ac3c5cdd05e85c4e

TrickBot

9a1fc2de129a140468451b41f79bd76f056f790550a500909f67cf009419a717

TrickBot

b8f7459f3c54826cb5cea3aad17870d173febf51047961b7f6218cc93dd25cbc

TrickBot

de5648abf555a4574df8ebf2d2b75dde4ea73639662ae62bf62a109a54f14fd4

TrickBot

+ 1'750 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:yas45 banker dave trojan

Link:

https://tria.ge/reports/230824-hx7hascc4z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Dave packer

Trickbot

Malware Config

C2 Extraction:

95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449

Unpacked files

SH256 hash:

0a2492cfe17c409b0e4966639bffe560c33fb9550424f1a7459e1033e06deb50

MD5 hash:

ddf6c88b8721afe70ad5d6666ba27f1c

SHA1 hash:

b2a3a65d8ff1d565a5ba8f445ad7d1f04a7492d8

Link:

https://www.unpac.me/results/c80e69fb-f225-49b3-bc1f-a9c803c45ecf/

SH256 hash:

5f4028d5184edd0f23bfcec99f0396ff6ea2e0dd2e3b1e027045b0907c4a96d2

MD5 hash:

9207b483eafe3c733d67f5c584d4e6e3

SHA1 hash:

995295c1048c939c63c404ae83dc29d4dc8c48fd

Link:

https://www.unpac.me/results/c80e69fb-f225-49b3-bc1f-a9c803c45ecf/

SH256 hash:

00e459ecf6e478ff73bfe2d8275d1db92740b68ec873ba4b16fe926b95342a25

MD5 hash:

b6113d748b31dd95bbec21dbf0ffe1b4

SHA1 hash:

5d45aa439c230762811935b82495cbbd40539c32

Detections:

win_trickbot_auto

win_trickbot_a4

Link:

https://www.unpac.me/results/c80e69fb-f225-49b3-bc1f-a9c803c45ecf/

SH256 hash:

81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77

MD5 hash:

7773c8164949a42936c4d1374cf16284

SHA1 hash:

9e92535dc7bcdd7bf677a643f90ee730784edfc6

Link:

https://www.unpac.me/results/c80e69fb-f225-49b3-bc1f-a9c803c45ecf/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/81fa8a3bdc45/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.69

Link:

https://yomi.yoroi.company/submissions/81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	win_trickbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

exe 81fa8a3bdc452dd2b279b61fed92fe83d65e650e06bca9ee4dfcf991a4a59e77

(this sample)

Link

https://ddanchev.blogspot.com/2022/03/exposing-trickbot-malware-gang-osint.html

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/444408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample