MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc
SHA3-384 hash: 57ec50ca7167457fd609169f9a09d3bbf14cdf97157fa77b2a09a98ee26d3f31c2f983b1c930d1434a754712f8921b20
SHA1 hash: ffc25d8957d4af9a47c5690c31bcea5a2e349766
MD5 hash: 0d2eb073df57636f99952e1d80c378a1
humanhash: oven-ink-idaho-vegan
File name:0d2eb073df57636f99952e1d80c378a1.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:753'743 bytes
First seen:2021-05-14 18:13:12 UTC
Last seen:2021-05-14 19:11:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ead8b58f090444c7c586af0c5013096 (4 x TrickBot)
ssdeep 12288:AbMr9Z/ztemes414FB4ycKSHtqAYLHVa+SbwwG:AbaZ/zZ414hRSHiHAhbzG
Threatray 3'190 similar samples on MalwareBazaar
TLSH 82F45A21F101942FF6B005F289B69BF7DEB5EC028D2176D6D7DA36680B3D893462DD82
Reporter abuse_ch
Tags:exe tot100 TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d2eb073df57636f99952e1d80c378a1.exe
Verdict:
Malicious activity
Analysis date:
2021-05-14 18:20:59 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/09caa9b3-4293-4901-a013-8db52c5bafd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156891/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782170
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-14 14:25:11 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wa43qn2dmtautk27dax3t45li6vqty4rrl5axsvohurjostgls6a._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0cbb778ba97972e04788fa7fee0d36e4c0e584df2dd07fa9cc93c6fa1a81a6b2
TrickBot
1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20
TrickBot
241991bef5ce7be4a96b094d109f694114248700a40ae535d5440b242e86e808
TrickBot
4c4551708fc11f828358140cb1278aee54e661c6637f7b6e714c8b619315736f
TrickBot
7500223b9a23a332ccb85b42ad8536250ba2cbd77ed8cf80c1b1a4ffe6876865
TrickBot
8366ec12a0a566dd36e60c387942b054865d2ee8d9aba3fd502b34068514bc64
TrickBot
89591fbf63f1c182f87402dc5a6ad27b79c158129ab5ac75cc1139a2396b528e
TrickBot
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
TrickBot
f5e103d4ae71ed138bc80e4a7a909c26ad6be88238269643141d3f5043e4ff13
TrickBot
fd3af0e7890546cc6e6ee828df5a31a4c88c587f968b0298a672b703bf71b7e4
TrickBot
+ 3'180 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot100 banker trojan
Link:
https://tria.ge/reports/210514-khp16775j6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe b039b8374364c149ab5f182fb9f3ab47ab09e3918afa0bcaae3d22974a665cbc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1191570/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/156891/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-14 19:03:10 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.012] Anti-Behavioral Analysis::Human User Check
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.002] Collection::Polling
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0049] File System Micro-objective::Get File Attributes
6) [C0051] File System Micro-objective::Read File
7) [C0050] File System Micro-objective::Set File Attributes
8) [C0052] File System Micro-objective::Writes File
9) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
12) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
16) [C0040] Process Micro-objective::Allocate Thread Local Storage
17) [C0038] Process Micro-objective::Create Thread
18) [C0054] Process Micro-objective::Resume Thread
19) [C0041] Process Micro-objective::Set Thread Local Storage Value
20) [C0055] Process Micro-objective::Suspend Thread
21) [C0018] Process Micro-objective::Terminate Process