MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
SHA3-384 hash: 9e84b9718c893327b45ac1b9761019d6dde2c57db2f0a057a86721302edc3881f67400eed1d667848915a4eac6c02e15
SHA1 hash: 009842a189b00f4088a4bae3078b983d15f237cf
MD5 hash: 6087aa8b7ef507c5147453993f1aba51
humanhash: crazy-mango-north-blue
File name:SecuriteInfo.com.BehavesLike.Win32.Trickbot.gm.32300
Download: download sample
Signature TrickBot
Create hunting rule
File size:434'304 bytes
First seen:2021-01-06 03:33:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fb6fb94e4b762fed1b02b86bf34a8b0b (7 x TrickBot)
ssdeep 6144:XWr/Zk+YqAipOQkh+y5NT+rtdLkA42HHiptpz4nrIBIdP1FD+k0lXIFjIiNj4une:XWrxk+3OQPPlky63kQu0mfAok/O8
Threatray 87 similar samples on MalwareBazaar
TLSH 5394122242C6BA1DECE74CF8B79F8BEA20045B759B6819877E617D2C91F1081E414B3F
Reporter SecuriteInfoCom
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BehavesLike.Win32.Trickbot.gm.32300
Verdict:
Suspicious activity
Analysis date:
2021-01-06 03:36:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27e94647-eb4f-48b0-9efd-8e504a6f85c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110644/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trickbot.gm.32300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574754
Signature
Allocates memory in foreign processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336435 Sample: SecuriteInfo.com.BehavesLik... Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Found malware configuration 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 6 other signatures 2->90 10 SecuriteInfo.com.BehavesLike.Win32.Trickbot.gm.exe 4 2->10         started        14 SecuriteInfo.exe 1 2->14         started        process3 file4 58 C:\Users\user\AppData\...\SecuriteInfo.exe, PE32 10->58 dropped 60 C:\Users\...\SecuriteInfo.exe:Zone.Identifier, ASCII 10->60 dropped 100 Detected unpacking (changes PE section rights) 10->100 16 SecuriteInfo.exe 1 10->16         started        19 conhost.exe 10->19         started        102 Writes to foreign memory regions 14->102 104 Allocates memory in foreign processes 14->104 21 conhost.exe 14->21         started        23 wermgr.exe 14->23         started        signatures5 process6 signatures7 76 Multi AV Scanner detection for dropped file 16->76 78 Detected unpacking (changes PE section rights) 16->78 80 Machine Learning detection for dropped file 16->80 82 3 other signatures 16->82 25 wermgr.exe 1 16->25         started        process8 dnsIp9 68 45.89.125.214, 443, 49758, 49764 CCTLD-ITViaMoruzzi1IT Germany 25->68 70 45.234.212.234, 447, 49765, 49773 HrTransportesVerticaisBR Brazil 25->70 72 6 other IPs or domains 25->72 92 Hijacks the control flow in another process 25->92 94 Writes to foreign memory regions 25->94 96 Tries to detect virtualization through RDTSC time measurements 25->96 98 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->98 29 cmd.exe 11 25->29         started        34 cmd.exe 1 25->34         started        signatures10 process11 dnsIp12 74 186.47.209.222, 443, 49774, 49808 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 29->74 62 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 29->62 dropped 64 C:\Users\user\AppData\...\Login Data.bak, SQLite 29->64 dropped 66 C:\Users\user\AppData\Local\...\History.bak, SQLite 29->66 dropped 106 Tries to harvest and steal browser information (history, passwords, etc) 29->106 36 conhost.exe 29->36         started        108 Performs a network lookup / discovery via net view 34->108 38 net.exe 1 34->38         started        40 ipconfig.exe 1 34->40         started        42 net.exe 1 34->42         started        44 3 other processes 34->44 file13 signatures14 process15 process16 46 conhost.exe 38->46         started        48 net1.exe 1 38->48         started        50 conhost.exe 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 44->56         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-06 03:34:06 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf
TrickBot
389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b
TrickBot
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
TrickBot
5bd267095b25bea0d5a95b4d6c22b871056ca7b8dc137351850d6a577ba62b80
TrickBot
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
TrickBot
b6317c86864cc8dc3ff1364a536919dd3cf8fa6f16ee21df6fb81fa5220a3399
TrickBot
ccf93828e1b44a75820989d72a2c019ae3b0a98944bf9eb1884e77f16050c53f
TrickBot
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
TrickBot
+ 77 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib5 banker trojan
Link:
https://tria.ge/reports/210106-4bjxsqybfj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
MD5 hash:
6087aa8b7ef507c5147453993f1aba51
SHA1 hash:
009842a189b00f4088a4bae3078b983d15f237cf
Link:
https://www.unpac.me/results/9c37ef49-1c2d-4243-b538-f27191446de3/
SH256 hash:
6bc68d59684793707033848293ab5b2d99d273ea1b1d5f0a882adc3a4e509a33
MD5 hash:
940fe71b699dc60c0ac5be0dc764d89d
SHA1 hash:
fed1b470d9e1a588cd7e0333c60ea0036a78077e
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c37ef49-1c2d-4243-b538-f27191446de3/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
SH256 hash:
cbf677f1684c3fadc16307e56d6dcf8ea3af21f63e3f511f5ceeffc48b3c82cd
MD5 hash:
6212184b9f5a28363de451cdcd664e09
SHA1 hash:
c014037b0e9634644d995d0a11a7f1b41639327a
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c37ef49-1c2d-4243-b538-f27191446de3/
Parent samples :
59e1711d6e4323da2dc22cdee30ba8876def991f6e476f29a0d3f983368ab461
b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540
2312b722d68f907871f5d3cebea0939e51e78e402bd3514ef03a8f0fff380d27
00d7094d9bd9a252a25c9324a767b9f5d34eba8ba0a4582f39d7d988627f0c40
a4adbba0e5a436c5820413938dabd7b3cefc15b57719bc76a6ea69c0fc71cef2
662d84c8a14855610a6161c60bf16f30f4dfdbbcfb2b77eb44df0dada1032743
16ffd56ef9d4ad421e6e393d3ae311a2e9c8c768589a8eef3a82eb687c9cb052
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2d9109a3980aadf1ed5f29d238b63ed62ba1f8bc59649c8becb6e737a3f7540

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110644/

Comments