MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654
SHA3-384 hash: 2c6f5c05e90dc786b3ee7b502b382725f026e30e75a183273f2f33fce2a872e86ed8c343b11f437ffdd86ba9d825fc26
SHA1 hash: f4eac70c6ec4160f7939f56d4fd65b50a2b4b669
MD5 hash: 2c46770b7bccaba1280e5c39ac42f2fe
humanhash: oregon-march-east-white
File name:2c46770b7bccaba1280e5c39ac42f2fe
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'972'736 bytes
First seen:2021-11-22 22:42:52 UTC
Last seen:2021-11-23 00:42:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d31639bc44b992226d49e6ecf1a2a248 (5 x TrickBot)
ssdeep 49152:nUiob4iogjOUcXQb0Np2/csvUMf3fs8E6mHGpV1S7LSYV+eo0E:
Threatray 4'313 similar samples on MalwareBazaar
TLSH T17D95F19C9EB35440EC1198F67F8FE7E05C0E271AF8DD4AE72528456402C04FF659BABA
File icon (PE):PE icon
dhash icon 787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
832
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2c46770b7bccaba1280e5c39ac42f2fe
Verdict:
Malicious activity
Analysis date:
2021-11-22 22:51:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6cb6c3a6-ac25-4358-ac7c-e2e704ed356b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.17021.31992.10761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm stealer wacatac
Link:
https://www.filescan.io/uploads/619c1cf9dd04e7d00e02ddb2/reports/2e73d8d7-7d10-4235-a0bf-df090c553b45/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a79eb83-5056-42b8-9d0f-81a8723b3844
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/894254
Signature
Allocates memory in foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526731 Sample: o38fQ55xnX Startdate: 22/11/2021 Architecture: WINDOWS Score: 64 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected Trickbot 2->15 6 o38fQ55xnX.exe 1 2->6         started        process3 signatures4 17 Writes to foreign memory regions 6->17 19 Allocates memory in foreign processes 6->19 9 cmd.exe 6->9         started        11 wermgr.exe 6->11         started        process5
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654/
Threat name:
Win32.Infostealer.Trickster
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 22:43:17 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae
TrickBot
2a039fd90e9150cf1caacb66326d0a3aae6f050c6d0a20e0adbaa2a2e3025450
TrickBot
2dc0f0bc555a5419b0cf12e7368c8009b09fe5c0a6de7867a473c418c7da3dfb
TrickBot
49e61873c2864b4a39bfb6c520ea9644d1b38088cd11a6d0f2f6ced91b793856
TrickBot
59ebd6bc57fb358ceb738d4ebd339910a443b21285f6efb7fb5bd784ff9f3e20
TrickBot
d423f00832f44b4195a686c691b2f20e55bd4c31145a43561f83f1ea661bfc60
TrickBot
d8ec9f0a62bf5507bee6eaa6fa254937b65a0e27fee0906d715aa7fefa4da968
TrickBot
def94d349e3c5637e40dcf603fd7c41d8807f13c0804bea48f1e098fd7629578
TrickBot
f723a66d74e36a5e249a72c8f2a4cc4a7a313ecbf83198df5d377bb52f452768
TrickBot
+ 4'303 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211122-2m8r6aghhr/
Unpacked files
SH256 hash:
e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0
MD5 hash:
4610eeac2606fb87588f945a68575a6b
SHA1 hash:
bfe3f6d3fb86a6538b3364e966abafb647eed021
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/722f74a7-a91a-4a6f-8872-d8603ca14b0e/
Parent samples :
2a039fd90e9150cf1caacb66326d0a3aae6f050c6d0a20e0adbaa2a2e3025450
d8ec9f0a62bf5507bee6eaa6fa254937b65a0e27fee0906d715aa7fefa4da968
0d8f71039695b040b07f1d5781b4ef5e50b318532eb1139b5de954f13c6751ae
e177d899ad1fe93863e30a44fe7adcdbe6cbde5594c9ffe63115592fb2a39de0
c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654
355d4c4c8eabcf15161ac4754c6a20fd1945c91a90f88e90de1d2ba2ac1545de
SH256 hash:
8f881e05c336f5276708fc304a940f32046b29252b6feef6bf761038d994e7d5
MD5 hash:
fc9059d8640d4e62cdf8733b94b86012
SHA1 hash:
5468aa6b2d3df3471f90197ef23b9e9169993d84
Link:
https://www.unpac.me/results/722f74a7-a91a-4a6f-8872-d8603ca14b0e/
SH256 hash:
c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654
MD5 hash:
2c46770b7bccaba1280e5c39ac42f2fe
SHA1 hash:
f4eac70c6ec4160f7939f56d4fd65b50a2b4b669
Link:
https://www.unpac.me/results/722f74a7-a91a-4a6f-8872-d8603ca14b0e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c988a65d39f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe c988a65d39f617c531454c2f15971c0a769d42ac84bea0a7a3bd89394ba3e654

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208475/

Comments


Avatar
zbet commented on 2021-11-22 22:42:53 UTC

url : hxxp://45.42.201.16/images/robert.png