MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccaa3d075eca8fa00e6e9fa2a11ef66558ff56fa402bed83b62d6c410acad4a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccaa3d075eca8fa00e6e9fa2a11ef66558ff56fa402bed83b62d6c410acad4a4
SHA3-384 hash: 18842d719a2c49fb3a4acfbe584a0695fc5e5585f861f71c4b160610e8a1410de048bbd7a495567b30134c37b15f5c3b
SHA1 hash: 754c5f26f4b9d3a88840c627be9e07bb8b231096
MD5 hash: 22326a788a3c0dbd480ce734dfaba729
humanhash: uniform-kilo-autumn-apart
File name:262ONO60DDT.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:450'861 bytes
First seen:2020-08-05 07:02:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f659b493cd16246e9de665422422669b (62 x TrickBot)
ssdeep 6144:GcgG+DlDlDlPKa4cjcZ70+7FQrH+48PiR5zcaky:v+dKa4cjcaDr+48PQ5zl
Threatray 5'076 similar samples on MalwareBazaar
TLSH ABA48E11FD630042D829057C086A4438DF1B2F7AFD39AA125FC1BE4F47B61666AA5B3F
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39027/
Detection(s):
SecuriteInfo.com.Trojan.Packed.140.20303.30840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Delayed writing of the file
Deleting a recently created file
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/410291
Signature
Allocates memory in foreign processes
Delayed program exit found
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccaa3d075eca8fa00e6e9fa2a11ef66558ff56fa402bed83b62d6c410acad4a4/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 22:29:13 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zsvd2b26zkh2adtot6rkchxwmvmp6vx2iav63a5wfvweccwk2ssa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05419cb584d67a251d98a302aebeda680806e178d9aecb9265bc1e48dc8897bf
TrickBot
4a8e724787fe19de01666f5ec11febceb8dffbd79da8a7645af6315587048936
TrickBot
55c935b724a8106ccabf0287e1d763ed83a54d899ef0d916c38742341b734607
TrickBot
59c462b186c2d8258a8cc2645f1b24ac91a53e7f49ad91b4e6f7a904736ed1cf
TrickBot
5a4a2a701a5a2ac0af435c31e273d8910d2feacc3a77a9328900c472ddd1d285
TrickBot
667bed787281da1a9260a1ebceed504815a645c6a37aaa08810f427c89132cdc
TrickBot
88630567d7dd2637746dc17849ad03bbd8c52cd749aef31d30752cd4e8da7801
TrickBot
b1b48a592de865318e2513e855556cd1b57b961e75956f24510d15771e87f5db
TrickBot
b6edc51053088f5d94cec4f62253cb8676f1b5b450a2c0da9562639eb73f45cd
TrickBot
e6d0cd4425a0d27fa8b175b4545a77a5b543dbe21d0ff28a948f75b0519fafa0
TrickBot
+ 5'066 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200805-dmcgfdhpxx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccaa3d075eca8fa00e6e9fa2a11ef66558ff56fa402bed83b62d6c410acad4a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe ccaa3d075eca8fa00e6e9fa2a11ef66558ff56fa402bed83b62d6c410acad4a4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/39027/
  
URLhaus
https://urlhaus.abuse.ch/url/424217/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/424503/

Comments