MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d
SHA3-384 hash: 321d41abb95d0e244af9ec51181ac1bd6114dc7232ea1a2ae57351dd15148f6809a63eb052af92b9bffb59795625ca71
SHA1 hash: 0c00b4a95b39b3c4837211148055fca05c17a235
MD5 hash: de617266f3194a042ae115ed99b3cf97
humanhash: nevada-timing-two-nineteen
File name:984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d
Download: download sample
Signature TrickBot
Create hunting rule
File size:386'048 bytes
First seen:2020-11-14 18:09:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d2e33fedfb3988327dae4de4fd297ea5 (3 x TrickBot)
ssdeep 6144:RRqJU6KgLoRlXazkgwnFfdGM3yevbsznJ92:Rp6vilqzWFP3ybn
Threatray 2 similar samples on MalwareBazaar
TLSH 91844A93163CACA3DCF43BBFC7D3B5081A56659A6738686DB07D9F09B303364525E282
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the system32 subdirectories
Deleting a recently created file
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534967
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
Contains functionality to inject threads in other processes
Creates files in the system32 config directory
Deletes itself after installation
Detected Trickbot e-Banking trojan config
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malware found (based on mutex name)
May check the online IP address of the machine
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316582 Sample: cQ8245rmPr Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Detected Trickbot e-Banking trojan config 2->65 67 6 other signatures 2->67 8 cQ8245rmPr.exe 1 2->8         started        11 cQ8245rmPr.exe 1 2->11         started        13 cQ8245rmPr.exe 2->13         started        15 2 other processes 2->15 process3 signatures4 83 Hijacks the control flow in another process 8->83 85 Writes to foreign memory regions 8->85 87 Allocates memory in foreign processes 8->87 17 svchost.exe 2 8->17         started        89 Injects a PE file into a foreign processes 11->89 21 svchost.exe 2 11->21         started        23 backgroundTaskHost.exe 3 17 11->23         started        25 svchost.exe 13->25         started        27 svchost.exe 15->27         started        29 svchost.exe 15->29         started        process5 file6 43 C:\Users\user\AppData\...\cQ8245rmPr.exe, PE32 17->43 dropped 45 C:\Users\...\cQ8245rmPr.exe:Zone.Identifier, ASCII 17->45 dropped 69 Benign windows process drops PE files 17->69 71 Contains functionality to inject threads in other processes 17->71 31 cQ8245rmPr.exe 17->31         started        47 C:\Windows\System32\config\...\cQ8245rmPr.exe, PE32 21->47 dropped 49 C:\Windows\...\cQ8245rmPr.exe:Zone.Identifier, ASCII 21->49 dropped 73 Creates files in the system32 config directory 21->73 75 Drops executables to the windows directory (C:\Windows) and starts them 21->75 34 cQ8245rmPr.exe 21->34         started        signatures7 process8 signatures9 91 Writes to foreign memory regions 31->91 93 Injects a PE file into a foreign processes 31->93 36 svchost.exe 31->36         started        95 Hijacks the control flow in another process 34->95 97 Machine Learning detection for dropped file 34->97 99 Allocates memory in foreign processes 34->99 39 svchost.exe 3 34->39         started        process10 dnsIp11 77 Deletes itself after installation 36->77 55 36.37.176.6, 443 VIETTELCAMBODIA-AS-APISPIXPINCAMBODIAWITHTHEBESTVERV Cambodia 39->55 57 192.189.25.143, 443 UUNETUS United States 39->57 59 myexternalip.com 216.239.32.21, 443, 49725, 49726 GOOGLEUS United States 39->59 51 C:\Windows\System32\config\...\group_tag, data 39->51 dropped 53 C:\Windows\System32\config\...\client_id, data 39->53 dropped 79 Malware found (based on mutex name) 39->79 81 Creates files in the system32 config directory 39->81 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d/
Threat name:
Win32.Trojan.Trickster
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:11:39 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbhnygpigyavn7cf2bfdvq6b7ocllft3iskrn75glpsyyw6o4b6q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
TrickBot
7c7f5cb3a4abac7fd494817a20e4c8d52d6fa4951fa864836e8d3cdcbbff4841
TrickBot
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201114-pl2lkxfx82/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
de6a2497924209179b12a56ba68501010e565981e0c6f29a45761a4f7bcf5f4f
MD5 hash:
0d0e1cca9bae14434e17d1d79ced650c
SHA1 hash:
09a8fd50b928307e866cb49e7e646a652c102528
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/14fcfc6c-9897-4f6a-ba12-24a11b5b4866/
SH256 hash:
4c595f402565d68badd9880040ad800ffd88bd2c3347ef061e1141d90813b878
MD5 hash:
b601502340c1c198bc1ca7207e351690
SHA1 hash:
4eaecd2d9012b14dfca48ea7c13824ce5845fda0
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g3
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/14fcfc6c-9897-4f6a-ba12-24a11b5b4866/
Parent samples :
7c7f5cb3a4abac7fd494817a20e4c8d52d6fa4951fa864836e8d3cdcbbff4841
984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d
SH256 hash:
984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d
MD5 hash:
de617266f3194a042ae115ed99b3cf97
SHA1 hash:
0c00b4a95b39b3c4837211148055fca05c17a235
Link:
https://www.unpac.me/results/14fcfc6c-9897-4f6a-ba12-24a11b5b4866/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/984edc19e8360156fc45d04a3ac3c1fb84b5967b449516ffa65be58c5bcee07d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALW_trickbot_bankBot
Create hunting rule
Author:Marc Salinas @Bondey_m
Description:Detects Trickbot Banking Trojan
Rule name:TrickBot
Create hunting rule
Author:sysopfb & kevoreilly
Description:TrickBot Payload
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments