MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
SHA3-384 hash: e7a4e4bc0e4a77aa077dbb68932d80305b8651c188bb06a1b1eecda2690d115a2ba2855774c88aaf4af66f9004fc9a7e
SHA1 hash: a894919c977e0a8e56cf304a04303afbfc69db69
MD5 hash: a701ee6ac919351407f76f477763c9cf
humanhash: oxygen-lima-magnesium-summer
File name:b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
Download: download sample
Signature TrickBot
Create hunting rule
File size:456'704 bytes
First seen:2020-11-14 18:18:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fbbeecc27f4bf19d488ad6e4ca3b0e93 (2 x TrickBot)
ssdeep 6144:iNWYMSbVkSpOwLyF8oNQdMlJyPR8yyv20rHP3EdSvBXfpnSl3bDOp:iAYKwLyF8fC+x8rHP3EdaBXO3bD
Threatray 7 similar samples on MalwareBazaar
TLSH CEA429D9C8026033DF092976CD8FF52FF10464C08E734EFDB69E4FB666A152A6425E29
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Changing a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535486
Signature
Allocates memory in foreign processes
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Trickbot e-Banking trojan config
Disable Windows Defender notifications (registry)
Disables Windows Defender (via service or powershell)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316841 Sample: Gg7WERIQpK Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 73 api.ip.sb 2->73 75 nagano-19599.herokussl.com 2->75 77 2 other IPs or domains 2->77 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 7 other signatures 2->101 10 Gg7WERIQpK.exe 1 28 2->10         started        14 Hg8WFRJQpL.exe 16 2->14         started        signatures3 process4 file5 69 C:\Users\user\AppData\...\Hg8WFRJQpL.exe, PE32 10->69 dropped 71 C:\Users\...\Hg8WFRJQpL.exe:Zone.Identifier, ASCII 10->71 dropped 103 Disable Windows Defender notifications (registry) 10->103 105 Disables Windows Defender (via service or powershell) 10->105 107 Delayed program exit found 10->107 16 Hg8WFRJQpL.exe 16 10->16         started        19 cmd.exe 1 10->19         started        21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        109 Injects a PE file into a foreign processes 14->109 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        signatures6 process7 signatures8 85 Multi AV Scanner detection for dropped file 16->85 87 Machine Learning detection for dropped file 16->87 89 Writes to foreign memory regions 16->89 93 3 other signatures 16->93 29 svchost.exe 1 2 16->29         started        33 cmd.exe 1 16->33         started        35 cmd.exe 1 16->35         started        37 cmd.exe 1 16->37         started        91 Disables Windows Defender (via service or powershell) 19->91 43 2 other processes 19->43 45 2 other processes 21->45 47 2 other processes 23->47 39 conhost.exe 25->39         started        41 conhost.exe 27->41         started        process9 dnsIp10 79 103.110.91.118, 449, 49740, 49743 ICONPLN-ID-AP-ISPPTINDONESIACOMNETSPLUSID Indonesia 29->79 81 140.190.54.187, 449 HBCI-1999TAUS United States 29->81 83 2 other IPs or domains 29->83 111 Creates autostart registry keys with suspicious names 29->111 49 regini.exe 1 29->49         started        51 regini.exe 1 29->51         started        113 Disables Windows Defender (via service or powershell) 33->113 53 powershell.exe 24 33->53         started        55 conhost.exe 33->55         started        57 conhost.exe 35->57         started        59 sc.exe 1 35->59         started        61 conhost.exe 37->61         started        63 sc.exe 1 37->63         started        signatures11 process12 process13 65 conhost.exe 49->65         started        67 conhost.exe 51->67         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:21:23 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvcm2bwjthytcks6znwckbimqyelr6ncurxebyjnod653cgcf3hq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
TrickBot
23df6c7581b2fe80336763ab3f25db6fdd1c6249b01f75beb58793628eb0c615
TrickBot
261e6a161980bf628360fc371e791ccd31740ec571ebd523e742404e350ffb05
TrickBot
6952da5cbad1a97c504747baeb0f42391c78567b1f70bdeab2a8c60c1b28f39d
TrickBot
7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
TrickBot
8dfccdd661911ebefed4ec661fdb0d8ad5dee2ce3413ca2b7ad556a3c2f8adac
TrickBot
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:del105 banker evasion persistence spyware trojan
Link:
https://tria.ge/reports/201114-2lmqzmtmgs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Stops running service(s)
Trickbot
Malware Config
C2 Extraction:
82.202.212.172:443
24.247.181.155:449
24.247.182.39:449
213.183.63.16:443
74.132.133.246:449
24.247.182.7:449
71.14.129.8:449
198.46.131.164:443
74.132.135.120:449
198.46.160.217:443
71.94.101.25:443
206.130.141.255:449
192.3.52.107:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
108.160.196.130:449
23.94.187.116:443
103.110.91.118:449
188.68.211.211:443
75.108.123.165:449
72.189.124.41:449
74.134.5.113:449
105.27.171.234:449
182.253.20.66:449
172.222.97.179:449
72.241.62.188:449
198.46.198.241:443
199.227.126.250:449
97.87.172.0:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
64.128.175.37:449
24.227.222.4:449
Unpacked files
SH256 hash:
e849ca04f610b9adc3b268b6014a32607f73aad4b46cda176c1eafc82ced2ef6
MD5 hash:
54fbc51bfd621b596a77b9a36b8dd913
SHA1 hash:
ec27b6f6a7ef68f5e0f1d016dc059645fe68e35b
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f461c2c4-ddab-4030-9222-d11dd4bc4ac3/
Parent samples :
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
SH256 hash:
01a65c5a2f8dc83eb2ecc5cc2daf2e978dd7621da3156599bcaaa338d32c26f9
MD5 hash:
84624e7f190a20210a80f1e2a1cdf3b3
SHA1 hash:
5471e88a4cbb806e248bb237550f9914cefeb297
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/f461c2c4-ddab-4030-9222-d11dd4bc4ac3/
Parent samples :
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
SH256 hash:
b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
MD5 hash:
a701ee6ac919351407f76f477763c9cf
SHA1 hash:
a894919c977e0a8e56cf304a04303afbfc69db69
Link:
https://www.unpac.me/results/f461c2c4-ddab-4030-9222-d11dd4bc4ac3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TrickBot
Create hunting rule
Author:sysopfb & kevoreilly
Description:TrickBot Payload
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments