MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec
SHA3-384 hash: eeb6d4710b5e5fd1d63e4455414a106e6e34861f935d9e1c878aeee0a3394252d4d25da6c95f1432847f335a4244ba62
SHA1 hash: 0a48c26cece79bb92ac1153a37ef194a4ec44574
MD5 hash: ffe21dc02e9a638307501285b024aefe
humanhash: glucose-washington-delaware-virginia
File name:ffe21dc02e9a638307501285b024aefe.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:851'968 bytes
First seen:2021-11-01 18:18:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d70d92f424e874b7f2d958376b177fa6 (6 x TrickBot)
ssdeep 12288:m1d+w0o2/pnRsHnF2XqBNiKtxRDB02HTUj/AUYQ+wsE6tn6tkB:Mesl2XqBNicTtZQO1vB
Threatray 4'214 similar samples on MalwareBazaar
TLSH T12B05CF123AB0C077E2B291754EF6BB69A2FDA9205F674DC723810B5D7D31CC1573A22A
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ffe21dc02e9a638307501285b024aefe.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-01 18:39:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4cdd9fed-8543-473e-a6f7-6b6132dc1eb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201173/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.79442.14984.21034.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/61802f9bdb358dd15ee3c709/reports/ce565f5b-1e2f-4528-abba-00d956f4df8c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5cef6afe-8b81-498a-89ff-f72261a631c9
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880670
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found detection on Joe Sandbox Cloud Basic with higher score
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1892 Sample: r433fCa9zW.exe Startdate: 01/11/2021 Architecture: WINDOWS Score: 100 30 wtfismyip.com 2->30 32 91.143.129.102.zen.spamhaus.org 2->32 34 2 other IPs or domains 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 4 other signatures 2->48 8 r433fCa9zW.exe 2->8         started        11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 13 wermgr.exe 4 8->13         started        18 cmd.exe 8->18         started        20 r433fCa9zW.exe 11->20         started        22 conhost.exe 11->22         started        process6 dnsIp7 36 46.99.175.217, 443, 49788, 49790 IPKO-ASAL Albania 13->36 38 wtfismyip.com 84.22.120.25, 49789, 80 TILAANL Germany 13->38 40 105.27.205.34, 443, 49842 SEACOM-ASMU Mauritius 13->40 28 C:\Users\user\AppData\...\r433fCa9zW.exe, PE32 13->28 dropped 54 Tries to harvest and steal browser information (history, passwords, etc) 13->54 56 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 13->56 58 Antivirus detection for dropped file 20->58 60 Multi AV Scanner detection for dropped file 20->60 62 Writes to foreign memory regions 20->62 64 Allocates memory in foreign processes 20->64 24 wermgr.exe 20->24         started        26 cmd.exe 20->26         started        file8 signatures9 process10
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 18:19:08 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
061489cf971a1b984d5eba4d9542972bc755179d5bd6539bdb9852259ebbb565
TrickBot
1309cc563fba424dfbf77e08438fa80738a269bc86e46ca9c3f374b19fecb181
TrickBot
549babb526332bc84aeab495b8b99982c30497716142c317e13fe3e96cf7188e
TrickBot
64c5309cb3d2245b3dfadf321296c8a7cf86c9ae33764e09a41932c3c4fc823e
TrickBot
734f8fbef8f83ac79bb0fa464a091889c6cb044b4e2a3471138ff766785e2361
TrickBot
784b92117e7bf582e7c9d5d9691b228f048ab1d68bf62fa5d730b790d196565e
TrickBot
89b3499862e34095b284fc1b97bdd3f2d2f7bf56b6f43bfaed554d9872498bc7
TrickBot
+ 4'204 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lip143 banker trojan
Link:
https://tria.ge/reports/211101-wx7d7afdap/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
1011e2de669ab71b736112c16c98cba88c39f628434f12de4d143dede9cedd1f
MD5 hash:
2e69aa5ea97b9c9858242142d7a59b31
SHA1 hash:
cdbe21595f883622414045c83eb972caeb7e5eaa
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/30e5665a-5181-43a3-9284-4bcca2c406d5/
Parent samples :
89b3499862e34095b284fc1b97bdd3f2d2f7bf56b6f43bfaed554d9872498bc7
4613bb0bee74dc7f5bf3344f6a2d1fb353717cc2d0066530cfffe93a60938d20
549babb526332bc84aeab495b8b99982c30497716142c317e13fe3e96cf7188e
64c5309cb3d2245b3dfadf321296c8a7cf86c9ae33764e09a41932c3c4fc823e
94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec
SH256 hash:
91b7380505157f40c574254f7371c6ddf6cf01fdb4914b7381904b94bf404373
MD5 hash:
678c6702aee668dbcde3082290031100
SHA1 hash:
bf315d182181c37a07ba3de3d9fcf0fb23eaa2ac
Link:
https://www.unpac.me/results/30e5665a-5181-43a3-9284-4bcca2c406d5/
SH256 hash:
2504b296cacf0e0776bc50f8d05ba3121be06fae87bb4713372aebf81339425c
MD5 hash:
4e8fdb995f3c7ca9938806061b07449b
SHA1 hash:
aa3398bc63b1e5bafdb9e1423ddff9253b41627c
Link:
https://www.unpac.me/results/30e5665a-5181-43a3-9284-4bcca2c406d5/
SH256 hash:
94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec
MD5 hash:
ffe21dc02e9a638307501285b024aefe
SHA1 hash:
0a48c26cece79bb92ac1153a37ef194a4ec44574
Link:
https://www.unpac.me/results/30e5665a-5181-43a3-9284-4bcca2c406d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 94d90e7f0577f2e80461a2eef2bfe4710a6e1afddb6bb2b0585610c1dda0beec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1698135/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201173/

Comments