MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad6ffe42e13f29cb042920e67867b886fddd40cfae44b5aba4e3331a582b4a0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad6ffe42e13f29cb042920e67867b886fddd40cfae44b5aba4e3331a582b4a0f
SHA3-384 hash: 3d603908887585f3915ec427d85cb5fc21d0a22957f8a73678ad1fc955908b5eafbcf7838834d6fb45b6d602feafaced
SHA1 hash: aa1f20cd5fdc9f899a0d571474fdfe60be41a54a
MD5 hash: d8ef2838bb27c42eddd31c6e65b00963
humanhash: fanta-skylark-hawaii-hamper
File name:d8ef2838bb27c42eddd31c6e65b00963.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:803'251 bytes
First seen:2020-09-11 05:31:03 UTC
Last seen:2020-09-11 06:43:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dc88155a00ae749ca86929ba8dffd0 (23 x TrickBot)
ssdeep 12288:KbQ5Gmpe+jNBNF8KegmyC+cbGxRt4tIUcOWTFLR3q69zvEQIXE:KcFjZB38KeUC+cbYRt4UB9rhYE
Threatray 2'859 similar samples on MalwareBazaar
TLSH 77059E23AD40B44ADA0B0CB15DFD5A7918363C2164156D4BB2D5BE8C2CB2AD36DF932F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Agent.EWFR.7408.32294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Connecting to a non-recommended domain
Connection attempt
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/463829
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad6ffe42e13f29cb042920e67867b886fddd40cfae44b5aba4e3331a582b4a0f/
Threat name:
Win32.Trojan.TrickbotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-11 05:32:08 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvx74qxbh4u4wbbjedthqz5yq3652qgpvzcllk5e4mzruwbljihq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05b662e6e0ee03a3e2b87b14fcda6e28f8e048b62f5baeb698068b85d83b1181
TrickBot
06e399b781a4c5a13d67764d76189854beb3699409a5c5809eede651ba0f7435
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
66b833cc53b7c8984cb521afbb3f91a64e045a2830bc2e456e91becc7d282179
TrickBot
6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c
TrickBot
7b3850e39e8474d1f218df0d2ba21a3315759ebed9b40957f6336d313103ffb6
TrickBot
7eb79859f61d8c17c2311867019dca95098df7f55c0ef00580f1cf7fa904a99f
TrickBot
912790d045d0e672bfb1069b453c50e22f1ab7b5d728c364ac3c5cdd05e85c4e
TrickBot
bea4a28914661d6b96f19150a9231d4718a4566ac737c2703c146dd04cf594b9
TrickBot
e8b03d2e2f16d44d8ce2272bb7f19c80c3006215b00624c79c204c70f54d1d83
TrickBot
+ 2'849 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200911-x4vw53sfk2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad6ffe42e13f29cb042920e67867b886fddd40cfae44b5aba4e3331a582b4a0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe ad6ffe42e13f29cb042920e67867b886fddd40cfae44b5aba4e3331a582b4a0f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/459871/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58576/

Comments