MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
SHA3-384 hash: 9ead8764e7bcd2dcc2772932f4950e4a7f66bb7daa76623f53eca7bfcb0725d1bad69442aa00e466eba9abef33ee7ca6
SHA1 hash: 71bf3e167f59c1956a2455d038b829e9e3293734
MD5 hash: 158b57c79071c935e63a2fbe85a8d68c
humanhash: friend-item-ten-orange
File name:be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
Download: download sample
Signature TrickBot
Create hunting rule
File size:806'912 bytes
First seen:2021-06-08 21:34:17 UTC
Last seen:2021-06-08 22:34:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cff33d60abb2b9ada3b724500411bdc (3 x TrickBot)
ssdeep 12288:j6xoNosXWilTFF9VUtxEFP2dhJJuXngCnZmnmB5zI6nDbgjC8+l:mC6ArFBb2dhJGnLZmnmk6nDbgW8+l
Threatray 769 similar samples on MalwareBazaar
TLSH DF059E1176F0C436D2B2717149BAD27476A9ECB04F3697C726D02A3D3E706D26B3932A
Reporter Anonymous
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
4
# of downloads :
366
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165480/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37063898.393.766.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ed026fa-3d6d-4e5d-910a-70b33ee47a09
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/799188
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-08 21:35:11 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2mm6qfrxjo27xsigs5fb6y5y2l6ivvz7e6lin4ef5ixofqmt6wq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
13bebdb4628ed345121aaaae5c512e528d01f3cca6da932c165a7d261c0f0356
TrickBot
1df7adb79eb1757f7c54e86369c72a38b24ec25a608d5281b289d5e018e81757
TrickBot
24dd0b8a2e2faff39ea54abc2654d91fdd7349aad14b0537f4d05a6af0b16ebe
TrickBot
2bc02aabacf3e4ad8d40be9fe0d22deaeee53782f77e2803adcb27b450fa23cf
TrickBot
2f3c6660f3aa00ef8039afb3efadfe91abf8cf5b5d6ac000e114e91d636e11f7
TrickBot
437d0b75f67c18c12a35d9c0e1a32fc57b426834fa4df63f30f11cb17dd24528
TrickBot
4e2afdf4b77dc7fb7b36668f5ea70189a73f5acb78ba234d31b02b30227179ff
TrickBot
8884ecb5d8ec36160ccbd0f22bd4bbef25648fc66bcb0c42403a5c93051dbcd1
TrickBot
f17f19350c6dbcf733c1d2fed10e8c853ac3af5117e8dc8122f06c87bd41d19f
TrickBot
f90aeb669c32ed6f1009101cc3c071a840f25c7828035601e92f4e17cd95b606
TrickBot
+ 759 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:mod2 banker trojan
Link:
https://tria.ge/reports/210608-mrqmbwe2s6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
178.72.192.20:443
103.124.145.98:443
45.5.152.39:443
114.7.240.222:443
85.248.1.126:443
94.183.237.101:443
146.196.121.219:443
89.37.1.2:443
94.142.179.77:443
177.221.39.161:443
85.175.171.246:443
103.12.160.164:443
180.178.106.50:443
94.142.179.179:443
46.209.140.220:443
123.231.149.122:443
123.231.149.123:443
182.160.116.190:443
131.0.112.122:443
116.0.6.110:443
103.101.104.229:443
88.150.240.129:443
103.242.104.68:443
Unpacked files
SH256 hash:
653477ab2e525648b29a92d04743bc04f555fc4654e5b7d63595cf7d26f5ffdf
MD5 hash:
cd4f9672cac04bda69cb6a09a46e843c
SHA1 hash:
d9fea6391b3c8287cb948347c0b5df607b0ca260
Link:
https://www.unpac.me/results/90960297-5574-489c-9ee5-33284c63b0c9/
SH256 hash:
bdb7ddae276074bc52d2d2a2454dfc994f5762e718105c4025a558291caf88ce
MD5 hash:
8b1a856ddb31dd59dc3df146985bc169
SHA1 hash:
703d73013fce882d7fcc611a9045be23c1d166b6
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/90960297-5574-489c-9ee5-33284c63b0c9/
Parent samples :
be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
dc084e88f377ddd7ee21424f94f1f94b409b26ebfbfb6b8566654cc9ce71472e
54ae4be0297bac7594eba00d00c518c0211e83b93020187f561b36928cdc080f
SH256 hash:
ae77ea33cd643b3a2a93d0a1f2ca1513024263586e8d3d701229d06977aa37e3
MD5 hash:
51b7ea2d8f99d10d869d9ea89c031a08
SHA1 hash:
95704e7420221ab01cb04152aa106fc7cba73821
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/90960297-5574-489c-9ee5-33284c63b0c9/
SH256 hash:
be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad
MD5 hash:
158b57c79071c935e63a2fbe85a8d68c
SHA1 hash:
71bf3e167f59c1956a2455d038b829e9e3293734
Link:
https://www.unpac.me/results/90960297-5574-489c-9ee5-33284c63b0c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be98cf40b1ba5dafde4834ba50fb1dc697e456b9f93cb437842f5177160c9fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165480/

Comments