MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16
SHA3-384 hash: 4665fa338d0a8a0c71480ec0ea100cfda5ce0f1479a7f5b23e6ffbafc427eebacd96c0c4e4f41fd2111ae70029bac163
SHA1 hash: 2ec006693189d6d9f9e1d1d0a244ea7086c83641
MD5 hash: c99e8ea05346c198782e4c66f01d7c10
humanhash: twelve-march-xray-nuts
File name:Froggies.bin
Download: download sample
Signature TrickBot
Create hunting rule
File size:413'696 bytes
First seen:2020-11-13 21:58:14 UTC
Last seen:2024-07-24 21:04:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44250809348aaf9ac0c34782943fefc5 (1 x TrickBot)
ssdeep 6144:YuLvVLAisXx49K7mRG5lAW2mndmPY/jtW+KITFyJSI6oTMEaAZlbI:HLvZoMG5lAKEYLtW9IT8ayi
Threatray 2'938 similar samples on MalwareBazaar
TLSH B194DF26BE505511FCEA11F108A4916875283C3266109E0BB399FFAF29355C3AEB7F1F
Reporter Scoobs_McGee
Tags:TrickBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.21500.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Delayed writing of the file
Deleting a recently created file
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/534254
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 22:35:58 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6qirmpkmhx2aazuhme2knxk76qsxsipwyjpr26lqgbhqw5w5mla._file
Verdict:
suspicious
Similar samples:
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed
TrickBot
34873d81dc7a0468d941294a1c62f9bb9e110d0f333f55de2da41ac6ead400d7
TrickBot
52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929
TrickBot
58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103
TrickBot
5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998
TrickBot
6ca141e8ed2443113c9e497d231b93cf41d86b224993c48f589b375a830cd27c
TrickBot
84f007e1e974a8305c3406d47d3430812f1805974f582cf2230bdf03f2c33269
TrickBot
d5efc42f10137cb465bcc098f0a3f5440a86ae59059526c6fb4bfce46bf1be83
TrickBot
ea5c72bce7e028a6b2f9febd90751bf0e323da00b4b0d68be2a52ed21fe2a4d0
TrickBot
faaa0098ad3de31c95506576653962bf783bdf347b6d22255d707561e30c5350
TrickBot
+ 2'928 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:fra1 banker trojan
Link:
https://tria.ge/reports/201113-f2hxhjvjm2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
195.123.240.138:443
162.212.158.129:443
144.172.64.26:443
62.108.37.145:443
91.200.103.193:443
194.5.249.195:443
195.123.240.18:443
Unpacked files
SH256 hash:
bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16
MD5 hash:
c99e8ea05346c198782e4c66f01d7c10
SHA1 hash:
2ec006693189d6d9f9e1d1d0a244ea7086c83641
Link:
https://www.unpac.me/results/3381bab8-cf09-436a-8858-91d5b5acbfc0/
SH256 hash:
058425264f9994bc6462e8cd9f3a28e99172a41e61163e027a74397781b1a458
MD5 hash:
8d4314242a4c92617c401e825e137407
SHA1 hash:
668ec13431a61fb7aeb45ee89bdbdad2aae57682
Link:
https://www.unpac.me/results/3381bab8-cf09-436a-8858-91d5b5acbfc0/
SH256 hash:
f998cd07758b31e7b4000278b6d2c957dd8f6470f85cb27857415bd56ba1e4cd
MD5 hash:
d9f54598ed460f5e98c819da4a2adb9f
SHA1 hash:
7bf99b0faa8bedca05e8cc5f65eec6f96dd4060e
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3381bab8-cf09-436a-8858-91d5b5acbfc0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Executable exe bfa088b1ea61efa003343b09a536eaffa12bc90fb612f8ebcb8182785bb6eb16

(this sample)

Joe
Joe Sandbox
https://www.joesandbox.com/analysis/316218/0/executive
  
Delivery method
Distributed via e-mail attachment

Comments