MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dfccdd661911ebefed4ec661fdb0d8ad5dee2ce3413ca2b7ad556a3c2f8adac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dfccdd661911ebefed4ec661fdb0d8ad5dee2ce3413ca2b7ad556a3c2f8adac
SHA3-384 hash: ea2e43cd1b2b5b152c09b5a82a6b8426ab037ae28dcec029e5f6f2ca811fd5cba3ebfbba5cc095c3a9b0e5cbbc062b4b
SHA1 hash: 81bc9559b326b608886f666d54ffe3e399a0a4d7
MD5 hash: 69a7c8cbf101a552b60917390597d9b1
humanhash: edward-twenty-triple-idaho
File name:8dfccdd661911ebefed4ec661fdb0d8ad5dee2ce3413ca2b7ad556a3c2f8adac
Download: download sample
Signature TrickBot
Create hunting rule
File size:376'832 bytes
First seen:2020-11-13 16:17:17 UTC
Last seen:2024-07-24 18:50:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0aac6d4b8efd63ccf7b57fb8d190791e (6 x TrickBot)
ssdeep 6144:EnDl487JrlTZR5TX5cCy4dnpVO5Xi8ZBnAQhhvIC8fh/h+qHnRMZii7Wprq/:Sl48TZRNXKCymbO5n34C8+qHnsh7kO/
Threatray 6 similar samples on MalwareBazaar
TLSH 7884AF3BAB52DAA9F90846FB5861DA478CFDF47312C8F0D7D7472812AC65A81DC36630
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534175
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Trickbot e-Banking trojan config
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disables Windows Defender (via service or powershell)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316187 Sample: EnkIyRDCVr Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 79 Found malware configuration 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 5 other signatures 2->85 10 EnkIyRDCVr.exe 2->10         started        13 FnkJyREDVs.exe 2->13         started        process3 signatures4 97 Detected unpacking (changes PE section rights) 10->97 99 Injects a PE file into a foreign processes 10->99 101 Delayed program exit found 10->101 15 EnkIyRDCVr.exe 1 3 10->15         started        103 Sample uses process hollowing technique 13->103 process5 file6 65 C:\Users\user\AppData\...\FnkJyREDVs.exe, PE32 15->65 dropped 67 C:\Users\...\FnkJyREDVs.exe:Zone.Identifier, ASCII 15->67 dropped 75 Disable Windows Defender notifications (registry) 15->75 77 Disables Windows Defender (via service or powershell) 15->77 19 FnkJyREDVs.exe 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        signatures7 process8 signatures9 87 Antivirus detection for dropped file 19->87 89 Multi AV Scanner detection for dropped file 19->89 91 Detected unpacking (changes PE section rights) 19->91 95 2 other signatures 19->95 28 FnkJyREDVs.exe 19->28         started        93 Disables Windows Defender (via service or powershell) 22->93 31 powershell.exe 24 22->31         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        37 sc.exe 1 24->37         started        39 conhost.exe 26->39         started        41 sc.exe 1 26->41         started        process10 signatures11 105 Hijacks the control flow in another process 28->105 107 Writes to foreign memory regions 28->107 109 Allocates memory in foreign processes 28->109 111 2 other signatures 28->111 43 svchost.exe 1 3 28->43         started        47 cmd.exe 1 28->47         started        49 cmd.exe 1 28->49         started        51 cmd.exe 1 28->51         started        process12 dnsIp13 69 62.31.150.202, 443 NTLGB United Kingdom 43->69 71 ipecho.net 216.239.32.21, 443, 49736, 49737 GOOGLEUS United States 43->71 73 209.121.142.214, 449, 49738, 49739 ASN852CA Canada 43->73 113 Creates autostart registry keys with suspicious names 43->113 115 Disables Windows Defender (via service or powershell) 47->115 53 powershell.exe 18 47->53         started        55 conhost.exe 47->55         started        57 conhost.exe 49->57         started        59 sc.exe 1 49->59         started        61 conhost.exe 51->61         started        63 sc.exe 1 51->63         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dfccdd661911ebefed4ec661fdb0d8ad5dee2ce3413ca2b7ad556a3c2f8adac/
Threat name:
Win32.Infostealer.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:34:49 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rx6m3vtbsepl57wu5rtb7wynrlk55ywogqj4uk322vlkhqxyvwwa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
TrickBot
23df6c7581b2fe80336763ab3f25db6fdd1c6249b01f75beb58793628eb0c615
TrickBot
261e6a161980bf628360fc371e791ccd31740ec571ebd523e742404e350ffb05
TrickBot
6952da5cbad1a97c504747baeb0f42391c78567b1f70bdeab2a8c60c1b28f39d
TrickBot
7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
TrickBot
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mon1 banker evasion persistence trojan
Link:
https://tria.ge/reports/201113-71v6p5kejj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Stops running service(s)
Trickbot
Trickbot x86 loader
Malware Config
C2 Extraction:
138.34.32.218:443
86.61.177.139:443
188.124.167.132:449
93.109.242.134:443
62.31.150.202:443
158.58.131.54:443
36.74.100.211:449
66.229.97.133:443
200.111.167.227:449
109.86.227.152:443
85.172.38.59:449
67.162.236.158:443
66.232.212.59:443
80.53.57.146:443
182.253.210.130:449
155.133.31.21:449
176.222.255.2:443
209.121.142.202:449
138.34.32.74:443
209.121.142.214:449
144.48.51.8:443
199.250.230.169:443
92.53.66.78:443
195.54.163.93:443
185.159.129.78:443
185.174.172.249:443
109.234.37.52:443
37.46.135.218:443
94.103.82.239:443
Unpacked files
SH256 hash:
8dfccdd661911ebefed4ec661fdb0d8ad5dee2ce3413ca2b7ad556a3c2f8adac
MD5 hash:
69a7c8cbf101a552b60917390597d9b1
SHA1 hash:
81bc9559b326b608886f666d54ffe3e399a0a4d7
Link:
https://www.unpac.me/results/a3026899-c639-498a-b6f9-ee523e8eca2e/
SH256 hash:
1aedfb68b3f057c23395db1fcd66f5d487303652fcf221a57ce654397041895a
MD5 hash:
bfd5824ea4208936d62eba99c8f1803d
SHA1 hash:
e6b1317f2272179c9df843a69b84af3d9ae9ad39
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a3026899-c639-498a-b6f9-ee523e8eca2e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TrickBot
Create hunting rule
Author:sysopfb & kevoreilly
Description:TrickBot Payload
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments