MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e2c9fa5f0c1bd5348d3a6996ab5855104ac9580defad7789f4296ce9d5305a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	9e2c9fa5f0c1bd5348d3a6996ab5855104ac9580defad7789f4296ce9d5305a0
SHA3-384 hash:	937c959c00cde1377aa92c1b90c0b512f46fd589f80e82a0648bb312e1c05ffc1a17f82825ab866f77399f1a45bf8df0
SHA1 hash:	3e5a8cf2c8bbf21c3f4edcc8720fa1db51234bac
MD5 hash:	d78b148f08b3a869fbc8fe66fa91ade0
humanhash:	grey-pip-early-video
File name:	d78b148f08b3a869fbc8fe66fa91ade0.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	465'408 bytes
First seen:	2021-07-22 15:39:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	13012c7764c22db0eea00ae6b1458d85 (7 x TrickBot)
ssdeep	6144:ybRfnjXFr2KGL3bbHHjYXWOZcy8QGd37ci/fW6/gNXtlTF5yVNU5JhJDCyFE:UZr2zHHmjMd1W6/gNXtrkVQhJDrG
Threatray	869 similar samples on MalwareBazaar
TLSH	T14EA4E02C3480F4F6E0230175C9999665CAADB8247B2378E7E7C46EFA7F655C09A3431E
dhash icon	80a1ecf4f4687000 (7 x TrickBot)
Reporter	abuse_ch
Tags:	exe rob110 TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d78b148f08b3a869fbc8fe66fa91ade0.exe

Verdict:

Suspicious activity

Analysis date:

2021-07-22 15:43:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bcc8f14c-819e-4e5a-90db-f592aed0346a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/173363/

Detection(s):

Win.Malware.Generic-9880574-0

SecuriteInfo.com.W32.AIDetect.malware1.13546.8288.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

TrickBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5e48c2b-f4f3-408d-878e-3093e1a6aa96

Result

Threat name:

TrickBot

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/820254

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/9e2c9fa5f0c1bd5348d3a6996ab5855104ac9580defad7789f4296ce9d5305a0/

Threat name:

Win32.Trojan.TrickBotCrypt

Status:

Malicious

First seen:

2021-07-22 14:44:59 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob110 banker trojan

Link:

https://tria.ge/reports/210722-pr1gkqs9vs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443