MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694
SHA3-384 hash: 37a1cb40eacaf52684777268dcc4839ad9f82acf764fe6fff01de93bd5ae100f06dd95e978fd28cd7baeb52a70faa199
SHA1 hash: 49a5e515368553ab2bbac7edc674fdc5aa5ebdc5
MD5 hash: b897908e6a01adc6768650971e2b4cf6
humanhash: whiskey-queen-xray-salami
File name:b897908e6a01adc6768650971e2b4cf6
Download: download sample
Signature TrickBot
Create hunting rule
File size:774'195 bytes
First seen:2021-06-23 05:03:15 UTC
Last seen:2021-06-23 05:47:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 53e4d13a217de8fcf024ca150e7234ba (9 x TrickBot)
ssdeep 12288:yqFVInSRf0r8caj0w4ckd4MZo+YZFVRAfW:EnSRfm8mckd4oodZPRh
Threatray 3'205 similar samples on MalwareBazaar
TLSH 1AF4CF123AF1E476D1A615F04EF6EB24A3FAE9609F3249C737D14A4C79319C14A3B326
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b897908e6a01adc6768650971e2b4cf6
Verdict:
Suspicious activity
Analysis date:
2021-06-23 05:05:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9f8afd3-d7f7-4975-89f0-f0b839dd8f91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167718/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22121.18018.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca64ab53-fb0d-49ba-9479-e2f0d1477b66
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806368
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438779 Sample: el6eob4c1F Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 7 el6eob4c1F.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 12 wermgr.exe 7->12         started        16 cmd.exe 7->16         started        18 cmd.exe 7->18         started        20 conhost.exe 10->20         started        process5 dnsIp6 37 144.48.138.213, 443 SEATELECOM-KHSOUTHEASTASIATELECOMCambodiaCoLTDK Cambodia 12->37 39 172.105.15.152, 443, 49729 LINODE-APLinodeLLCUS United States 12->39 41 9 other IPs or domains 12->41 57 Hijacks the control flow in another process 12->57 59 May check the online IP address of the machine 12->59 61 Writes to foreign memory regions 12->61 63 2 other signatures 12->63 22 svchost.exe 10 12->22         started        27 svchost.exe 12->27         started        signatures7 process8 dnsIp9 35 12.23.113.92, 443, 49736 ATT-INTERNET4US United States 22->35 29 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 22->29 dropped 31 C:\Users\user\AppData\...\Login Data.bak, SQLite 22->31 dropped 33 C:\Users\user\AppData\Local\...\History.bak, SQLite 22->33 dropped 55 Tries to harvest and steal browser information (history, passwords, etc) 22->55 file10 signatures11
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 05:04:11 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
TrickBot
4e2afdf4b77dc7fb7b36668f5ea70189a73f5acb78ba234d31b02b30227179ff
TrickBot
8884ecb5d8ec36160ccbd0f22bd4bbef25648fc66bcb0c42403a5c93051dbcd1
TrickBot
9c1f7206900db7e86c575b126a8ada0d50490464e8a0a493be1871c884c2aad4
TrickBot
9e955c173fcb4383d64ae90a591f1c2e4423f8f546e814041c62a04f7fada83a
TrickBot
aaf65f2e4e89ced41e549525ef7f0cba7226c2423d0e5009f3fe79c4418b15f7
TrickBot
d5bbcb4b0242124fd01644dfe1528bbb2107d795d8528b9fff8e53e62f165356
TrickBot
f17f19350c6dbcf733c1d2fed10e8c853ac3af5117e8dc8122f06c87bd41d19f
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 3'195 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib113 banker trojan
Link:
https://tria.ge/reports/210623-2klmpe3jsj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
196.43.106.38:443
186.97.172.178:443
37.228.70.134:443
144.48.139.206:443
190.110.179.139:443
172.105.15.152:443
177.67.137.111:443
27.72.107.215:443
186.66.15.10:443
189.206.78.155:443
202.131.227.229:443
185.9.187.10:443
196.41.57.46:443
212.200.25.118:443
197.254.14.238:443
45.229.71.211:443
181.167.217.53:443
181.129.116.58:443
185.189.55.207:443
172.104.241.29:443
14.241.244.60:443
144.48.138.213:443
202.138.242.7:443
202.166.196.111:443
36.94.100.202:443
187.19.167.233:443
181.129.242.202:443
36.94.27.124:443
43.245.216.116:443
186.225.63.18:443
41.77.134.250:443
Unpacked files
SH256 hash:
dfc32e24f2270aa2af0cdbd8e094e047b49d88003e7d6a8d2b66faf7df84927e
MD5 hash:
c3dc3f449c002d07206e25d3342c9aa6
SHA1 hash:
79b378270cc561ad12b02e6a85435bdc3f281b62
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f3528646-e3ee-4f0b-963c-4bd58dde2497/
Parent samples :
d5bbcb4b0242124fd01644dfe1528bbb2107d795d8528b9fff8e53e62f165356
b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694
SH256 hash:
2203578a74aaf700f72f2ec7135eb1e86417c84613d0571ee0281eed7b739056
MD5 hash:
b2113c4e8343ad07775d62c4bbae5d95
SHA1 hash:
2f20dd66353aabaf7ab5528b59681e5e4f9e7eac
Link:
https://www.unpac.me/results/f3528646-e3ee-4f0b-963c-4bd58dde2497/
SH256 hash:
bf472d2b88c387359ec202f9c2596394ae7ecf106d141a0818db2be45f63a99d
MD5 hash:
bbaca2ec87d182649d7c44c72cae11e0
SHA1 hash:
98f721b9e4b3d38a942ee00391836f0574abad03
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f3528646-e3ee-4f0b-963c-4bd58dde2497/
SH256 hash:
b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694
MD5 hash:
b897908e6a01adc6768650971e2b4cf6
SHA1 hash:
49a5e515368553ab2bbac7edc674fdc5aa5ebdc5
Link:
https://www.unpac.me/results/f3528646-e3ee-4f0b-963c-4bd58dde2497/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe b2b541feed14e5570cfcceaca76144a6f54a058a5d820f1b822c47ab0ce38694

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167718/

Comments