MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a844f4b4cd3aa66b10306bfa01209bcb519d19d7e87b219669a9be984935528b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a844f4b4cd3aa66b10306bfa01209bcb519d19d7e87b219669a9be984935528b
SHA3-384 hash: de7a08c9980e1d0ba7d0a5b274aaffd097508c991b60f3de2bd19aeec82613e1bb8b0a70dcd54c4b8aed49fd82d7c880
SHA1 hash: f8b5a559f4a1aff5d427f21b2138941decc3b8cf
MD5 hash: 6562e6da9fbb441334cd8e89f9224889
humanhash: music-saturn-chicken-fifteen
File name:eflyairplane.png
Download: download sample
Signature TrickBot
Create hunting rule
File size:675'883 bytes
First seen:2021-10-26 00:41:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 542db7e97024de0354d3af3fe3180ab9 (4 x TrickBot)
ssdeep 12288:E3OvNPnZ2TGqZbv0r+EFmd5/gCoXcoHQBQVxvzAiZb:PvN/0T75r1d5YCoXcoH5rpb
TLSH T12DE4CF26B79490FAD5F116360FEB673BB2F6EF60493683471792BB1D0C30A114B26B16
File icon (PE):PE icon
dhash icon f2626a6269696971 (4 x TrickBot)
Reporter nokae8
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200054/
Detection(s):
SecuriteInfo.com.Variant.Zusy.404642.12037.2389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/61774edcdb358dd15edae223/reports/b59b13bc-e073-4acc-84ea-c34a45ed3dbc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aad2a7c3-130d-4e27-aa97-d9906664bf41
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/876694
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 509127 Sample: eflyairplane.png Startdate: 26/10/2021 Architecture: WINDOWS Score: 92 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Yara detected Trickbot 2->39 41 Machine Learning detection for sample 2->41 7 eflyairplane.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 12 wermgr.exe 4 7->12         started        17 cmd.exe 7->17         started        19 eflyairplane.exe 10->19         started        21 conhost.exe 10->21         started        process5 dnsIp6 29 103.248.217.234, 443, 49876 IDNIC-NORLECTELEKOMINDO-AS-IDPTNorlecTelekomunikasiIndon Indonesia 12->29 31 103.47.170.131, 443, 49770, 49771 GIGANTIC-ASGiganticInfotelPvtLtdIN India 12->31 33 8 other IPs or domains 12->33 27 C:\Users\user\AppData\...\eflyairplane.exe, PE32 12->27 dropped 47 May check the online IP address of the machine 12->47 49 Tries to detect virtualization through RDTSC time measurements 12->49 51 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 12->51 53 Machine Learning detection for dropped file 19->53 55 Writes to foreign memory regions 19->55 57 Allocates memory in foreign processes 19->57 23 wermgr.exe 19->23         started        25 cmd.exe 19->25         started        file7 signatures8 process9
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a844f4b4cd3aa66b10306bfa01209bcb519d19d7e87b219669a9be984935528b/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 00:42:06 UTC
AV detection:
17 of 43 (39.53%)
Threat level:
  5/5
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib169 banker trojan
Link:
https://tria.ge/reports/211026-a2cjqahfbn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
36.91.117.231:443
36.89.228.201:443
103.75.32.173:443
45.115.172.105:443
36.95.23.89:443
103.123.86.104:443
202.65.119.162:443
202.9.121.143:443
139.255.65.170:443
110.172.137.20:443
103.146.232.154:443
36.91.88.164:443
103.47.170.131:443
122.117.90.133:443
103.9.188.78:443
210.2.149.202:443
118.91.190.42:443
117.222.61.115:443
117.222.57.92:443
136.228.128.21:443
103.47.170.130:443
36.91.186.235:443
103.194.88.4:443
116.206.153.212:443
58.97.72.83:443
139.255.6.2:443
Unpacked files
SH256 hash:
54a8bb5538e73b3f28b183445a24b57fc639c54d1801b65f47f600b82b0b2cc5
MD5 hash:
f4f7fe6bf1bcae72a79846f6c3ef191b
SHA1 hash:
cf10475ad6d6918c2975115c7728c675a10b6d7d
Link:
https://www.unpac.me/results/b0228f66-22ef-4344-9c4a-0dec1b513702/
SH256 hash:
078f0a9b383cc76ba43f6da17be8b8959b23945bc04c6aa7914cd9ea9593b82b
MD5 hash:
509cd798f66a243811aa3282809f7ce5
SHA1 hash:
315d829305da03d076bb6e937afd2a21e40e2c7e
Link:
https://www.unpac.me/results/b0228f66-22ef-4344-9c4a-0dec1b513702/
SH256 hash:
e75bb4ff7de159dddbc2f88692570045498349f83005b1206960b16f329ac3c6
MD5 hash:
fba73c26b8dd9386d37e1a9c74b38928
SHA1 hash:
03c1f35b1bb589a8a2ab2b4b50a21eb26751a092
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0228f66-22ef-4344-9c4a-0dec1b513702/
Parent samples :
a844f4b4cd3aa66b10306bfa01209bcb519d19d7e87b219669a9be984935528b
0014daeadce3a90746e84a3ddb7388be202598fba7dc67826550df3456e70941
SH256 hash:
a844f4b4cd3aa66b10306bfa01209bcb519d19d7e87b219669a9be984935528b
MD5 hash:
6562e6da9fbb441334cd8e89f9224889
SHA1 hash:
f8b5a559f4a1aff5d427f21b2138941decc3b8cf
Link:
https://www.unpac.me/results/b0228f66-22ef-4344-9c4a-0dec1b513702/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a844f4b4cd3a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a844f4b4cd3aa66b10306bfa01209bcb519d19d7e87b219669a9be984935528b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200054/

Comments