MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4dbb8abcf115944c06d542bb0c25e027af51e60b4c8fc40e4c3d0c2a0dcaf8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4dbb8abcf115944c06d542bb0c25e027af51e60b4c8fc40e4c3d0c2a0dcaf8a
SHA3-384 hash: 80f9a419e94e79c3d76226e7e06dc60ebcfae2d9e144519862d23979c83175ef2c7bd17b702cdd31d0921f6b3e7b418c
SHA1 hash: 734919b960b2961e947dc17915c41de998099de1
MD5 hash: fab62dd69c5976a978134efdbe8dcd18
humanhash: pip-yankee-delaware-juliet
File name:278ONO60DDT.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:450'844 bytes
First seen:2020-08-05 07:03:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f659b493cd16246e9de665422422669b (62 x TrickBot)
ssdeep 6144:GcgG+DlDlDlPKa4cjcZ70+7FQrH+48PiR5zcakk:v+dKa4cjcaDr+48PQ5zl
Threatray 5'076 similar samples on MalwareBazaar
TLSH FCA48E11FD630042D829057C086A4438DF1B2F7AFD39AA125FC1BE4F47B61666AA5B3F
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.20303.30840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Delayed writing of the file
Sending a UDP request
Deleting a recently created file
Launching a process
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/410310
Signature
Allocates memory in foreign processes
Delayed program exit found
Found malware configuration
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4dbb8abcf115944c06d542bb0c25e027af51e60b4c8fc40e4c3d0c2a0dcaf8a/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 22:34:32 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=utn3rk6pcfmujqdnkqv3bqs6aj5pkhtawtepyqheypimfig4v6fa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05419cb584d67a251d98a302aebeda680806e178d9aecb9265bc1e48dc8897bf
TrickBot
4a8e724787fe19de01666f5ec11febceb8dffbd79da8a7645af6315587048936
TrickBot
55c935b724a8106ccabf0287e1d763ed83a54d899ef0d916c38742341b734607
TrickBot
59c462b186c2d8258a8cc2645f1b24ac91a53e7f49ad91b4e6f7a904736ed1cf
TrickBot
5a4a2a701a5a2ac0af435c31e273d8910d2feacc3a77a9328900c472ddd1d285
TrickBot
667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc
TrickBot
88630567d7dd2637746dc17849ad03bbd8c52cd749aef31d30752cd4e8da7801
TrickBot
b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db
TrickBot
b6edc51053088f5d94cec4f62253cb8676f1b5b450a2c0da9562639eb73f45cd
TrickBot
e6d0cd4425a0d27fa8b175b4545a77a5b543dbe21d0ff28a948f75b0519fafa0
TrickBot
+ 5'066 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200805-tcw9d9e386/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4dbb8abcf115944c06d542bb0c25e027af51e60b4c8fc40e4c3d0c2a0dcaf8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe a4dbb8abcf115944c06d542bb0c25e027af51e60b4c8fc40e4c3d0c2a0dcaf8a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/424519/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/39044/

Comments