MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a116f3577e8f8054ceb546f05ef212a5e22a686e462d08e8355522feb70fc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	99a116f3577e8f8054ceb546f05ef212a5e22a686e462d08e8355522feb70fc5
SHA3-384 hash:	cbb57ff833abe680dd75758fab250d9f82712bf0208d5d113bff6211797da8c339fd8bbe8c0f6885a525745df76b8f1f
SHA1 hash:	212a08c2ede95e10a8d0cfbac38a3fb59cb3a789
MD5 hash:	f96b185f5b4bc2cf8adbfea62180b515
humanhash:	xray-coffee-arizona-cold
File name:	sshrod.php.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	400'037 bytes
First seen:	2020-04-23 20:27:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	38f1d64ec6a17c7f62ba62b5409b03ab (1 x TrickBot)
ssdeep	6144:OyC06loN2yNtxMcCW9aU2SW9N49JFrVSa6yvmLm:OyC05pNt+cCVUbENyFpSq
Threatray	2'932 similar samples on MalwareBazaar
TLSH	BC842EF6A2D54560CD98F63750830C369B4D3E12E33266BD2D2BB48CFAA6D4097285DF
Reporter	James_inthe_box
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-23 20:27:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tgqrn42xp2hyavgowvdpaxxscks6ektinzdc2chigvksf7vxb7cq._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

2d0d08b27eec389f3edd036b4bb4ded2c24500bf53dba2a3a46eb2ecd36105e6

TrickBot

764553cbeade2cc41c018b08fb22381a32a6c475b86353458d8fbc1aab86afeb

TrickBot

80d162a9d3998938dbf4e82b4411c7aebf3365bef53412c622de318062da3c70

TrickBot

aa816907cbe55fb2e170741297322bdfecc1e68b7f0420fc0459f4d57a395a86

TrickBot

bde211630a1bf959caa59f585baf9c2cf1f8eaaa4dbe53f0c9ed7d1c083f0088

TrickBot

c2d499169a652c5c86ef28b7dca25f23e986bdd93b23fe02115923f698d61b58

TrickBot

da995f78d6ba4f7acab4a421e759cc15d2a3b8ca5549edd76605252e410d65ac

TrickBot

de064838cb87ab944c6a43f9ccfe42875ec2d4e0de7ecb3d61b92d3dcb44c5a9

TrickBot

f4001d5fcb0c67c66b6c2df8f1b1bf173b9b25277c72916105b424137bc90a9b

TrickBot

+ 2'922 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	WINHTTP.dll::WinHttpCloseHandle KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::FreeConsole
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpConnect WINHTTP.dll::WinHttpCrackUrl WINHTTP.dll::WinHttpGetIEProxyConfigForCurrentUser WINHTTP.dll::WinHttpGetProxyForUrl WINHTTP.dll::WinHttpOpenRequest WINHTTP.dll::WinHttpOpen

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample