MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4
SHA3-384 hash: e8e707251302e738d30c34c08e1eb94f34a2042ea5b7c85c943f7b5b7067b2a510bbdde1a3556a025b7593d2aa7a9d39
SHA1 hash: 4899afe80086a97c1825b37ae34e55af0945042b
MD5 hash: ab514dc1ce046921ffd95c5c7797b496
humanhash: potato-echo-king-nebraska
File name:ab514dc1ce046921ffd95c5c7797b496.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'338'527 bytes
First seen:2021-11-21 08:33:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:OQLny3OiG7O5fWcmCM4jBg0nWDqVXF1/Vz897cDH6WboJVIb90I8Yls:OQLy3Z5ecmCMqhnllLNgIHjbiIb9O
Threatray 936 similar samples on MalwareBazaar
TLSH T1F355EF337CAC475DC8901B73CD93E27116AE2E5B5AF2C14A50F66F878BF01989016F9A
dhash icon 00ccf0d4ccd0dc00 (4 x TrickBot)
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
797
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab514dc1ce046921ffd95c5c7797b496.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 08:36:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca1fd205-44e1-49b1-b0f9-9ca4f997571a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Trojan.Generic-9822957-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.MSIL.Krypt.11.1240.9175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending a custom TCP request
Creating a process from a recently created file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien conti monero overlay packed strictor
Link:
https://www.filescan.io/uploads/619a047d398e2553d2ff9c3c/reports/2f5b0eee-fc56-45a6-9dc8-b5a0713054e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97b0a8ab-ae87-4156-848d-fa75ba69341c
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893222
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample is not signed and drops a device driver
Sigma detected: Suspicious Certutil Command
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525695 Sample: MjI5mmapoM.exe Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 69 Antivirus / Scanner detection for submitted sample 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected Trickbot 2->73 75 2 other signatures 2->75 11 MjI5mmapoM.exe 1 6 2->11         started        15 rundll32.exe 2->15         started        process3 file4 57 C:\Users\user\AppData\Local\...\Appare.sys, data 11->57 dropped 91 Sample is not signed and drops a device driver 11->91 17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        signatures5 process6 signatures7 22 cmd.exe 2 17->22         started        26 conhost.exe 17->26         started        28 certutil.exe 2 17->28         started        77 Obfuscated command line found 19->77 79 Uses ping.exe to sleep 19->79 81 Drops PE files with a suspicious file extension 19->81 83 Uses ping.exe to check the status of other devices and networks 19->83 30 conhost.exe 19->30         started        process8 file9 55 C:\Users\user\AppData\Local\Temp\...\Tua.com, PE32 22->55 dropped 85 Obfuscated command line found 22->85 87 Uses ping.exe to sleep 22->87 32 Tua.com 22->32         started        34 PING.EXE 1 22->34         started        37 certutil.exe 2 22->37         started        39 findstr.exe 1 22->39         started        signatures10 process11 dnsIp12 41 Tua.com 32->41         started        59 127.0.0.1 unknown unknown 34->59 61 192.168.2.1 unknown unknown 34->61 process13 dnsIp14 63 rrrioYNbTRzfc.rrrioYNbTRzfc 41->63 89 Injects a PE file into a foreign processes 41->89 45 Tua.com 1 41->45         started        signatures15 process16 signatures17 93 Writes to foreign memory regions 45->93 95 Allocates memory in foreign processes 45->95 48 wermgr.exe 45->48         started        51 wermgr.exe 45->51         started        53 conhost.exe 45->53         started        process18 signatures19 65 Tries to detect virtualization through RDTSC time measurements 48->65 67 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 48->67
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 02:37:29 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgw64afbgk4wu32foayzkoyb7updelcxx7z7zfixw7ms2g5iqt2a._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
TrickBot
1a5d1d3d58f829e1447df95583770da8106382f32ebced394eccda36a921bdf5
TrickBot
487178988d7c3bebc34fe2c40f1b19cd8f89f2753d552a19c4fe5da82f22d828
TrickBot
6f61d466fdb609fd461ba5979fab4a908a5a1c61336566e1313d54d9bf484366
TrickBot
7735a05791f9c8d69e6211b9d5df24a852fcf7e6e8bae876f4ac126023c52852
TrickBot
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
TrickBot
97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27
TrickBot
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
TrickBot
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
TrickBot
d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
TrickBot
+ 926 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob1 banker persistence trojan
Link:
https://tria.ge/reports/211121-kgfezsdfdj/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
85.204.116.83:443
91.200.100.143:443
83.151.14.13:443
107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
207.246.92.48:443
216.128.130.16:443
45.79.126.97:443
45.79.155.9:443
45.79.212.97:443
45.79.253.142:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
Unpacked files
SH256 hash:
80d8b249115f129d8be6f8339406dbab1c9d7abce4c68c63f413158e350268e4
MD5 hash:
a6bb64deb358f76c8442fd1ace83283b
SHA1 hash:
9151d2d3c9e99e15b943c6c77ea0aa07bd464af0
Link:
https://www.unpac.me/results/5e794120-9169-44f6-8ff1-375f293a4d64/
SH256 hash:
b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4
MD5 hash:
ab514dc1ce046921ffd95c5c7797b496
SHA1 hash:
4899afe80086a97c1825b37ae34e55af0945042b
Link:
https://www.unpac.me/results/5e794120-9169-44f6-8ff1-375f293a4d64/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b1adee00a132/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207847/

Comments