MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments 1

SHA256 hash:	8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64
SHA3-384 hash:	100f5dbb38a3764116cfaff4771d877d100e6412c7456d5392b0e3f1191c42b5a68a082341faa883fd6c6ea250984826
SHA1 hash:	9d240207825f9d9f4d8bdeb9101955590df4b269
MD5 hash:	3bebcce1e78d963d90820acdf905afad
humanhash:	orange-eight-delaware-ack
File name:	3bebcce1e78d963d90820acdf905afad.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	569'344 bytes
First seen:	2021-05-11 07:12:52 UTC
Last seen:	2021-05-11 08:20:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e0000a9c7cd3e5025595cb8f9725a382 (2 x TrickBot)
ssdeep	12288:WPwlONBStX5U6N8wtVV9NMjOjr84NL4aB:WButX5Uz6VVsjU8La
Threatray	2'116 similar samples on MalwareBazaar
TLSH	91C4C042F6E081F1D75228310EEB573EF1B9AA455F308BC79394EE2D9D36492D93A324
Reporter	abuse_ch
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

362

Origin country :

n/a

Vendor Threat Intelligence

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/154895/

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.15985.25974.18724.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

TrickBot

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/778359

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64/

Threat name:

Win32.Trojan.Trickpak

Status:

Malicious

First seen:

2021-05-11 07:13:18 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qntoyevauvtn2nxgbq4hsqvqksdf2lxi3gv2h7kqfm2anbiuxrsa._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

055234a3607c09868727f44eb871614aba6b3b01ac60174501f127ca0be24642

TrickBot

0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2

TrickBot

241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808

TrickBot

2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed

TrickBot

52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

TrickBot

678de819abf5f00b28eaaa8239169a08a75050a4df26fe3ce5b262d6c7b6cb24

TrickBot

89591fbf63f1c182f87402dc5a6ad27b79c158129ab5ac75cc1139a2396b528e

TrickBot

e4c2e4b74dec6920092f848ad4df6c489c18ecfb928cc10fbabe865a15958dc3

TrickBot

f5e103d4ae71ed138bc80e4a7a909c26ad6be88238269643141d3f5043e4ff13

TrickBot

+ 2'106 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:tot97 banker trojan

Link:

https://tria.ge/reports/210511-5s96r7q5mn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy Activity

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_trickbot_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

exe 8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1191570/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/154895/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 08:09:08 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.001] Collection::Application Hook
3) [F0002.002] Collection::Polling
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0045] File System Micro-objective::Copy File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
13) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
14) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
15) [C0040] Process Micro-objective::Allocate Thread Local Storage
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process