MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db
SHA3-384 hash: 8b92f2ef7257993dccce97c49f38c26d77acb84e2afa2255419bffd9570c4bc655591413eec79f7e44d3f7586473f7a5
SHA1 hash: 4915815bd95c390548fefd0163785d7f87aadcf0
MD5 hash: 0f38f03055a295b6ac218fae90c8c2a7
humanhash: five-victor-victor-michigan
File name:149ONO60DDT.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:450'982 bytes
First seen:2020-08-05 07:00:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f659b493cd16246e9de665422422669b (62 x TrickBot)
ssdeep 6144:GcgG+DlDlDlPKa4cjcZ70+7FQrH+48PiR5zcakM:v+dKa4cjcaDr+48PQ5z5
Threatray 4'909 similar samples on MalwareBazaar
TLSH 74A48E11FD630042D829057C086A4438DF1B2F7AFD39AA125FC1BE4F47B61666AA5B3F
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39006/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.20303.30840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Delayed writing of the file
Deleting a recently created file
Launching a process
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/410252
Signature
Allocates memory in foreign processes
Delayed program exit found
Found malware configuration
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 22:32:23 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wg2iuwjn5bstddrfcpufkvlm2g2xxfq6owkw6jcrbukxohuh6xnq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05419cb584d67a251d98a302aebeda680806e178d9aecb9265bc1e48dc8897bf
TrickBot
4a8e724787fe19de01666f5ec11febceb8dffbd79da8a7645af6315587048936
TrickBot
55c935b724a8106ccabf0287e1d763ed83a54d899ef0d916c38742341b734607
TrickBot
59c462b186c2d8258a8cc2645f1b24ac91a53e7f49ad91b4e6f7a904736ed1cf
TrickBot
5a4a2a701a5a2ac0af435c31e273d8910d2feacc3a77a9328900c472ddd1d285
TrickBot
667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc
TrickBot
88630567d7dd2637746dc17849ad03bbd8c52cd749aef31d30752cd4e8da7801
TrickBot
b6edc51053088f5d94cec4f62253cb8676f1b5b450a2c0da9562639eb73f45cd
TrickBot
d73a4b780ce969ae7256258aafcf0ef472b6afb8ea3b527ce38cf686a479570d
TrickBot
e6d0cd4425a0d27fa8b175b4545a77a5b543dbe21d0ff28a948f75b0519fafa0
TrickBot
+ 4'899 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200805-8h39gc5n3x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/39006/
  
URLhaus
https://urlhaus.abuse.ch/url/424217/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/424487/

Comments