MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b18158f4b0b344bc4a14d29a5fd2a3e21ec1d6d90adf84fae18c972871a99557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b18158f4b0b344bc4a14d29a5fd2a3e21ec1d6d90adf84fae18c972871a99557
SHA3-384 hash: 354d13d1d36f1cd6c1551b2e792def804a9748a142344970cb3e97ea56997431d7b5103c6c8e6003d133ba6a6f90d8de
SHA1 hash: 438a6b16d2bb77b4cb9ae8b13a99dbc801128e20
MD5 hash: 8fbb7b44b6a3a5c10b7ec3ca73861635
humanhash: island-ten-lithium-six
File name:b18158f4b0b344bc4a14d29a5fd2a3e21ec1d6d90adf84fae18c972871a99557
Download: download sample
Signature TrickBot
Create hunting rule
File size:167'936 bytes
First seen:2020-10-24 21:05:07 UTC
Last seen:2020-10-24 21:56:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:xHnwmtgt9SX0Qqmhxt5yjSbpERPaIUpEgkRrTLwciZuYSXQkec5ZQjx:xH9USX0c7k2CPfUpERT0SXQk1f
Threatray 2 similar samples on MalwareBazaar
TLSH D7F31201C25B5376E947053B494B2DEB63267BFCE32E1769EB4A6C16F7A1F404848B8C
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75272/
Detection(s):
SecuriteInfo.com.Trojan.Trick.46210.13860.535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508740
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disable Windows Defender notifications (registry)
Disables Windows Defender (via service or powershell)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303487 Sample: ZwjGNyv7Zu Startdate: 24/10/2020 Architecture: WINDOWS Score: 100 75 Found malware configuration 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 7 other signatures 2->81 8 ZwjGNyv7Zu.exe 1 3 2->8         started        12 ZwkHOyv8Zu.exe 2->12         started        process3 file4 63 C:\Users\user\AppData\...\ZwkHOyv8Zu.exe, PE32 8->63 dropped 65 C:\Users\...\ZwkHOyv8Zu.exe:Zone.Identifier, ASCII 8->65 dropped 83 Disable Windows Defender notifications (registry) 8->83 85 Disables Windows Defender (via service or powershell) 8->85 14 ZwkHOyv8Zu.exe 8->14         started        17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        87 Writes to foreign memory regions 12->87 89 Allocates memory in foreign processes 12->89 91 Injects a PE file into a foreign processes 12->91 23 cmd.exe 12->23         started        25 cmd.exe 1 12->25         started        27 cmd.exe 1 12->27         started        29 svchost.exe 12->29         started        signatures5 process6 dnsIp7 93 Antivirus detection for dropped file 14->93 95 Multi AV Scanner detection for dropped file 14->95 97 Machine Learning detection for dropped file 14->97 101 3 other signatures 14->101 32 cmd.exe 1 14->32         started        35 cmd.exe 1 14->35         started        37 2 other processes 14->37 99 Disables Windows Defender (via service or powershell) 17->99 39 2 other processes 17->39 41 2 other processes 19->41 43 2 other processes 21->43 45 2 other processes 23->45 47 2 other processes 25->47 49 2 other processes 27->49 67 47.224.36.228, 449 CHARTER-20115US United States 29->67 69 190.64.67.98, 449, 49738, 49739 AdministracionNacionaldeTelecomunicacionesUY Uruguay 29->69 71 2 other IPs or domains 29->71 signatures8 process9 signatures10 73 Disables Windows Defender (via service or powershell) 32->73 51 powershell.exe 24 32->51         started        53 conhost.exe 32->53         started        55 conhost.exe 35->55         started        57 sc.exe 1 35->57         started        59 conhost.exe 37->59         started        61 sc.exe 1 37->61         started        process11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b18158f4b0b344bc4a14d29a5fd2a3e21ec1d6d90adf84fae18c972871a99557/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2019-09-05 19:19:00 UTC
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgavr5fqwnclysqu2knf7uvd4ipmdvwzblpyj6xbrslsq4njsvlq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
e9b68e43d01d092285e1d109241939a85473ec285448074d0ad0098bc1975550
TrickBot
ee22d1b889f577512fc9a45da2ce24a1ddcafdf1fd412f8dd42aa3b112d1fa91
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot evasion
Link:
https://tria.ge/reports/201024-3pdzpkrefn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Launches sc.exe
Drops file in System32 directory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Stops running service(s)
Trickbot
Unpacked files
SH256 hash:
4c6967305a3f1d78a598c0af65b9a4175b3f4dd01392f2573d4315ef3efa2d1d
MD5 hash:
88d8813f86b96a3b7f4da953f47ed0f6
SHA1 hash:
dd582614453f53295f2f90f7e2302f618c19a2cc
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/750a4cd1-8a7d-4c28-a35d-898c9399e69e/
SH256 hash:
b18158f4b0b344bc4a14d29a5fd2a3e21ec1d6d90adf84fae18c972871a99557
MD5 hash:
8fbb7b44b6a3a5c10b7ec3ca73861635
SHA1 hash:
438a6b16d2bb77b4cb9ae8b13a99dbc801128e20
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/750a4cd1-8a7d-4c28-a35d-898c9399e69e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b18158f4b0b344bc4a14d29a5fd2a3e21ec1d6d90adf84fae18c972871a99557

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/75272/

Comments