MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88
SHA3-384 hash: 3e4728f08e906905194d2d3161011d768378d1dbcc11920bc807fafd8e74aafb0ca4407d0163202bb2fa236e8a668536
SHA1 hash: 0fefb74aaada5a00eddd8ab54061e637cb5fe844
MD5 hash: 617886f01d41808f9d9f5ba5e6b6fba6
humanhash: magazine-carolina-network-freddie
File name:617886f01d41808f9d9f5ba5e6b6fba6
Download: download sample
Signature TrickBot
Create hunting rule
File size:774'207 bytes
First seen:2021-07-23 17:37:46 UTC
Last seen:2021-07-23 19:14:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e827ff8dfb88b8772c7ce28a390e3682 (3 x TrickBot)
ssdeep 12288:3ibSucgigxeWuhfKQnNSDji+K+YWjZesG5y/phxofpy9:3i3cgigoWuh9NS/PK+TAhophxofpy9
Threatray 983 similar samples on MalwareBazaar
TLSH T107F4DF16BBC0913BD6A24EF04FF1B736E2BB958057E05ED3A7944B4C4C329C1993A726
dhash icon 70d0b2f0f0b2f879 (3 x TrickBot)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
617886f01d41808f9d9f5ba5e6b6fba6
Verdict:
Malicious activity
Analysis date:
2021-07-23 17:43:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3d28a02-60ab-498d-83c7-f4343cf64e68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173749/
Detection(s):
SecuriteInfo.com.ML.PE-A.10196.29993.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c67ca03f-0b44-471b-ac19-2ce64e043033
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820971
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453382 Sample: VBIJ2aXZGV Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 2 other signatures 2->42 8 VBIJ2aXZGV.exe 1 2->8         started        11 cmd.exe 1 2->11         started        process3 signatures4 44 Hijacks the control flow in another process 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 13 wermgr.exe 4 8->13         started        18 cmd.exe 8->18         started        20 VBIJ2aXZGV.exe 1 11->20         started        22 conhost.exe 11->22         started        process5 dnsIp6 30 184.74.99.214, 443, 49750, 49753 TWC-11351-NORTHEASTUS United States 13->30 32 68.69.26.182, 443 KOS-1193CA Canada 13->32 34 13 other IPs or domains 13->34 28 C:\Users\user\AppData\...\VBIJ2aXZGV.exe, PE32 13->28 dropped 50 May check the online IP address of the machine 13->50 52 Writes to foreign memory regions 13->52 54 Tries to detect virtualization through RDTSC time measurements 13->54 56 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 13->56 24 cmd.exe 1 13->24         started        58 Multi AV Scanner detection for dropped file 20->58 file7 signatures8 process9 process10 26 conhost.exe 24->26         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qpqjhprlsedi3silkr72xogadow3r6hbt4t5n6zar4bb22jah2ea._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
101c5a5784112e7fa5c2f766476dff8663021e2101c8d4569cb5698390cb4636
TrickBot
2c773049e4974dfd199134bdb84cc99cfbe76a6f09996d87e9219767527e5034
TrickBot
a3b6b719ce886b1b47b5e1d94d5d017c6bd58d3732ee3d43e0557b6395a87401
TrickBot
b161eb34e5513131f4b0a4c0318646ed3448122445d7924e03ff5822a6e2d2dd
TrickBot
cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20
TrickBot
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c
TrickBot
d9b9cbd9fd559edd3cf9e386bf6324be90c69902adfc7817d81a95fe4d18a8bf
TrickBot
e4d2675a178319609e0b022d9dfed2b6e68d1d269b0b4e25ed63cc24f7296841
TrickBot
faba77692acd1b52614d6379b4f197af178119baef932ee3157098e3bbcceef7
TrickBot
fe91dea9457e5d92d63cb97758a278939ef33b0529bce694dba57d2db5caedee
TrickBot
+ 973 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob111 banker trojan
Link:
https://tria.ge/reports/210723-x7qbk3dzw2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443
Unpacked files
SH256 hash:
ec529aeb27d1cec02f7942a03707d7f2f3d29a272ce2c150f90cf19ea3ccbb88
MD5 hash:
e92afff24197faea0b4d0f88abca7fdf
SHA1 hash:
88e0c31fbe824546f0d40642ba9af41837355ef9
Link:
https://www.unpac.me/results/a4e3c817-8e97-49dc-8a0c-f0895903bf58/
SH256 hash:
4b6c86049fa90439270a1efc9417148b8d2939dcfeba3e4e19a09ad7f15ff598
MD5 hash:
34a96c5e056cbd3495d88a72b79a553b
SHA1 hash:
2bd86b759a7618f443b69a2090aba651feb30e31
Link:
https://www.unpac.me/results/a4e3c817-8e97-49dc-8a0c-f0895903bf58/
SH256 hash:
4fee228ebc1fe8b1ac281405a5fb765bb77bec209b70dd35ae38a388587a2c02
MD5 hash:
23a6ecd585b04897968687462dedf4f7
SHA1 hash:
29aa1f5b7cbd832f040099922be8feba88e6e693
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a4e3c817-8e97-49dc-8a0c-f0895903bf58/
Parent samples :
e02ec4de6280d08990fa9171ab6cea14be9042af8768645f19823fbab87f68d4
83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88
7eb249792f19ccda8dd4ad4a1b9e586de58112552a410ae98a9d3280fc02610d
56b7f2b832cb3bca8df659101611574933cf7b478d004111b3824013e61a363b
SH256 hash:
83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88
MD5 hash:
617886f01d41808f9d9f5ba5e6b6fba6
SHA1 hash:
0fefb74aaada5a00eddd8ab54061e637cb5fe844
Link:
https://www.unpac.me/results/a4e3c817-8e97-49dc-8a0c-f0895903bf58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 83e093be2b91068dc90b547fabb8c01badb8f8e19f27d6fb208f021d69203e88

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173749/

Comments


Avatar
zbet commented on 2021-07-23 17:37:47 UTC

url : hxxp://45.89.127.230/images/yellowtank.png