MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b039634cd9719da110e0453ed4f668af7f7de7509bafa9205ae147e8aa1c1896. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
TrickBot
Vendor detections: 12
| SHA256 hash: | b039634cd9719da110e0453ed4f668af7f7de7509bafa9205ae147e8aa1c1896 |
|---|---|
| SHA3-384 hash: | b54b82e3617d7b94328855a3d18386f7c17e787a0c8ac4053d0c9a16fa90240913af0fb9606109849e8e7c21bf5384d2 |
| SHA1 hash: | 02610f94dcdbaf66b98335ba6934c180509432b6 |
| MD5 hash: | dbe35d846ec71db904f9a4d20474b47c |
| humanhash: | delta-jupiter-arizona-connecticut |
| File name: | SecuriteInfo.com.Trojan.Agent.FERA.15561.13941 |
| Download: | download sample |
| Signature | TrickBot |
| File size: | 466'944 bytes |
| First seen: | 2021-03-24 04:47:02 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 55084870e14c8f3b289a5358885b34e6 (5 x TrickBot) |
| ssdeep | 6144:34lLCVe+nSUIo0ML1T/oK1bgAyxZ/bmTcO59xwnQV8htFzs+LnzQVXY:QLCVeepIoH1zkaT7B7mFA+7Md |
| Threatray | 3'074 similar samples on MalwareBazaar |
| TLSH | 42A43A32F6981637E26A50B27FB58120B56F98B428319833924F5D4D277BE935E9033F |
| Reporter |  SecuriteInfoCom |
| Tags: | TrickBot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Agent.FERA.15561.13941
Verdict:
Malicious activity
Analysis date:
2021-03-24 04:49:13 UTC
Tags:
evasion
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Launching a process
Sending a custom TCP request
DNS request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Detection:
trickbot
Threat name:
Win32.Trojan.Bsymem
Status:
Malicious
First seen:
2021-03-24 04:47:07 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
trickbot
Similar samples:
+ 3'064 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Score:
10/10
Tags:
family:trickbot botnet:tot66 banker trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
174.105.236.140:443
67.79.117.70:443
162.155.225.130:443
70.235.74.189:443
72.164.254.204:443
173.219.76.169:443
98.6.253.142:443
137.27.167.58:443
24.182.101.64:449
50.208.68.153:443
67.212.241.127:443
99.147.197.147:443
216.186.128.26:443
174.105.233.82:443
70.119.220.241:443
70.125.241.196:443
24.153.175.236:443
96.68.79.18:443
75.87.15.158:443
47.190.2.12:443
72.180.57.176:443
173.198.151.86:443
47.51.219.98:443
162.155.10.150:443
162.155.69.74:443
71.15.77.155:443
67.79.117.70:443
162.155.225.130:443
70.235.74.189:443
72.164.254.204:443
173.219.76.169:443
98.6.253.142:443
137.27.167.58:443
24.182.101.64:449
50.208.68.153:443
67.212.241.127:443
99.147.197.147:443
216.186.128.26:443
174.105.233.82:443
70.119.220.241:443
70.125.241.196:443
24.153.175.236:443
96.68.79.18:443
75.87.15.158:443
47.190.2.12:443
72.180.57.176:443
173.198.151.86:443
47.51.219.98:443
162.155.10.150:443
162.155.69.74:443
71.15.77.155:443
Unpacked files
SH256 hash:
7692ea1ddf50f55bef032879736f7f313309c265a0a6b4eb1ec9dac7a01a0640
MD5 hash:
18e19e84fa726826258eed6531a475e4
SHA1 hash:
36c3fd1924f9c9b770709d62fb4d5202a3b2deb4
Detections:
win_trickbot_a4
win_trickbot_auto
Parent samples :
b039634cd9719da110e0453ed4f668af7f7de7509bafa9205ae147e8aa1c1896
389ec465ec5038ddb8eaa907961d5602fb23bab039b4f262151526331e15b4bc
13aa0fdd60e89711b5218497c7264c2ac11553ea7034f646c922fa47e8732928
bc8073c4f97ff572812e0a0b0603899223b17eb4f37f02b640848edaff36c981
85cfd42faa485da7e37e87c96a7e19206531a19a37f5cc3edfebd21b5d47d407
389ec465ec5038ddb8eaa907961d5602fb23bab039b4f262151526331e15b4bc
13aa0fdd60e89711b5218497c7264c2ac11553ea7034f646c922fa47e8732928
bc8073c4f97ff572812e0a0b0603899223b17eb4f37f02b640848edaff36c981
85cfd42faa485da7e37e87c96a7e19206531a19a37f5cc3edfebd21b5d47d407
SH256 hash:
2fd4e592d72435fc11bb0cc53820bef7e0c3ce957b8aa4fd06e3b9d33f6fcafe
MD5 hash:
7749dcaf07c494b4dd587fd9011afba7
SHA1 hash:
ca8dfbc61487045759e929f0025128a303a4d274
Detections:
win_trickbot_auto
SH256 hash:
b039634cd9719da110e0453ed4f668af7f7de7509bafa9205ae147e8aa1c1896
MD5 hash:
dbe35d846ec71db904f9a4d20474b47c
SHA1 hash:
02610f94dcdbaf66b98335ba6934c180509432b6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.