MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
TrickBot
Vendor detections: 11
| SHA256 hash: | c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2 |
|---|---|
| SHA3-384 hash: | ff0a552e49ac632ba881f8f496f70b95b870e0161308b671cb6f02615e665364ee8f774f1e19974e34ebfb1a6692a176 |
| SHA1 hash: | 1ace53fc97fdd578b2ae13c42af9b44d6fedf7ce |
| MD5 hash: | 98e7b944113b0a9d26ed50909e4d30bc |
| humanhash: | harry-sink-texas-muppet |
| File name: | XGetoptTest.exe |
| Download: | download sample |
| Signature | TrickBot |
| File size: | 376'832 bytes |
| First seen: | 2021-05-06 19:17:01 UTC |
| Last seen: | 2021-05-06 20:01:22 UTC |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | 3728606838e4d2b654a8bf37ccb9d58f (1 x TrickBot) |
| ssdeep | 6144:D0nP1yul58XrsOS3B2pDS34hV/zMmGVW5KKhBDzSA4TS:k1yu5MwD3BaDk8OJ/oDY |
| Threatray | 1'569 similar samples on MalwareBazaar |
| TLSH | C284D00272E080B6D2FE5A3C0E327B3693B7B8A0CFB18B875B65965D59735414E31B27 |
| Reporter | Anonymous |
| Tags: | TrickBot |
Intelligence
File Origin
# of uploads :
3
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Result
Verdict:
Clean
Maliciousness:
Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Detection:
trickbot
Threat name:
Win32.Trojan.TrickBot
Status:
Malicious
First seen:
2021-05-05 17:16:43 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
trickbot
Similar samples:
+ 1'559 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Score:
10/10
Tags:
family:trickbot botnet:rob72 banker trojan
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Templ.dll packer
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Unpacked files
SH256 hash:
bec418ae5ad353ca7a4513890270c0a77a369960b6ac80cb0e4fe50b69154928
MD5 hash:
83f118f7112d6402293d858205d7ad61
SHA1 hash:
eeeb6530404c441243b94b81a104d58a47e21bae
Detections:
win_trickbot_a4
SH256 hash:
b0ac1d06be27f3e9d81afc76dfdab33267b38ceb30d04f084666132c57f870bd
MD5 hash:
042fb4d316f497f73cedd5d1042271dc
SHA1 hash:
e0b9836274057851b67890d79d5866a9ed9b759a
Detections:
win_trickbot_a4
SH256 hash:
5dfab312855c20d620bd24147a50d910336ce359d7af8b50f72cb39f25537e5f
MD5 hash:
4d6c594e67b2e0f9d93750ae73e61d2d
SHA1 hash:
6694769f85891023996508ca3a4e9c61e78903fa
Detections:
win_trickbot_a4
win_trickbot_g6
win_trickbot_auto
SH256 hash:
c22df6708ee597cfbc4079d96503e8159104cdf1f0d3a9fecb6741a9e152d0b2
MD5 hash:
98e7b944113b0a9d26ed50909e4d30bc
SHA1 hash:
1ace53fc97fdd578b2ae13c42af9b44d6fedf7ce
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [F0002.001] Collection::Application Hook
3) [F0002.002] Collection::Polling
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
6) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0052] File System Micro-objective::Writes File
10) [E1510] Impact::Clipboard Modification
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
13) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
14) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
15) [C0040] Process Micro-objective::Allocate Thread Local Storage
16) [C0017] Process Micro-objective::Create Process
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process