MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
SHA3-384 hash: 3258e48840e9fa8c7f3a483d1246f865106ea391124154dd449477700096207c7589fc3354f5618356e09643b7192184
SHA1 hash: c0d6310c5acb63d928c5baa632cc1255ec8e8ed1
MD5 hash: 9f9170d28c677db45ca2f70ac4978dfd
humanhash: south-twenty-nuts-apart
File name:9f9170d28c677db45ca2f70ac4978dfd
Download: download sample
Signature TrickBot
Create hunting rule
File size:528'443 bytes
First seen:2021-09-25 09:59:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 675872e23dfc0f62ffbc2f69c316f4bc (22 x TrickBot)
ssdeep 12288:cbVMh0tRyr3W3SvniM+uwkMx8nXoTT0WJZmo:WMh0tRyL3lY8X2xJZmo
Threatray 3'903 similar samples on MalwareBazaar
TLSH T16BB4D03535E08973D16319308EFD07E963B9BCA147B2958F8F902F0D3C7E556A43A2A6
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9f9170d28c677db45ca2f70ac4978dfd
Verdict:
Suspicious activity
Analysis date:
2021-09-25 10:03:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bfb45749-ed1a-44a5-aff4-52d0fe573036

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191495/
Detection(s):
SecuriteInfo.com.Variant.Ulise.303788.23835.9448.UNOFFICIAL
Create hunting rule

Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02ef71a9-904a-4c93-bd82-a9168b93d26a
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857942
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490370 Sample: O0P5YwGzS8 Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 3 other signatures 2->62 7 O0P5YwGzS8.exe 2->7         started        10 cmd.exe 1 2->10         started        process3 signatures4 64 Writes to foreign memory regions 7->64 66 Allocates memory in foreign processes 7->66 12 wermgr.exe 4 7->12         started        17 cmd.exe 7->17         started        19 O0P5YwGzS8.exe 10->19         started        21 conhost.exe 10->21         started        process5 dnsIp6 50 179.42.137.107, 443, 49749, 49750 TelefonicadeArgentinaAR unknown 12->50 52 179.42.137.108, 443, 49768, 49770 TelefonicadeArgentinaAR unknown 12->52 54 8 other IPs or domains 12->54 42 C:\Users\user\AppData\...\O0P5YwGzS8.exe, PE32 12->42 dropped 70 Hijacks the control flow in another process 12->70 72 May check the online IP address of the machine 12->72 74 Writes to foreign memory regions 12->74 80 2 other signatures 12->80 23 svchost.exe 11 12->23         started        28 svchost.exe 12->28         started        76 Multi AV Scanner detection for dropped file 19->76 78 Allocates memory in foreign processes 19->78 30 wermgr.exe 19->30         started        32 cmd.exe 19->32         started        file7 signatures8 process9 dnsIp10 44 109.87.143.67, 443, 49842, 49853 TRIOLANUA Ukraine 23->44 46 178.151.205.154, 443, 49836, 49847 TRIOLANUA Ukraine 23->46 48 9 other IPs or domains 23->48 34 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 23->34 dropped 36 C:\Users\user\AppData\...\Login Data.bak, SQLite 23->36 dropped 38 C:\Users\user\AppData\Local\...\History.bak, SQLite 23->38 dropped 40 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 23->40 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 23->68 file11 signatures12
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 09:59:12 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2wcbmewtpxb7oe7afnfofzysm2vfar2b6f4jcrc2ngncpozs2diq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
TrickBot
447f81782c5ec0ddd591a39b3312adacfca17ea97a161646f54ae7f3de334398
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
TrickBot
dd3b410927a1c9ee86cc61e70378c37f6cb9285f1da01ab0a07a182bfd4906aa
TrickBot
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
TrickBot
f61db22354e7f73c3bdcd0465608a2c27e182426bc1b1cafd3e2e134965fe7eb
TrickBot
+ 3'893 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot153 banker trojan
Link:
https://tria.ge/reports/210925-lz42qsbae8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
70288da56e4da38f23b82ccc9b18f9133f7e38de4290f511cd3ce9030a99a254
MD5 hash:
60e8f1fde88645a2a5d696c780c0473b
SHA1 hash:
e1d291faee4a2e9fcf542731a287eff9a14d4299
Link:
https://www.unpac.me/results/1b6b3097-df6a-40b1-9edc-d4d74b83fe37/
SH256 hash:
ec91224925ed968b98000321cb19249318f6c94ac6e0db61ea1aa3e9de7c846c
MD5 hash:
95044f906bea9dde6bda3e8509a6b4ba
SHA1 hash:
314bb3c71024110d6682caa972c56646d46cbe33
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b6b3097-df6a-40b1-9edc-d4d74b83fe37/
Parent samples :
f50b51b633835edd334b8627e2cac0571b856212ec2580a7aeb149bd27066255
7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
1846bc537e84c6ad4b8556b51ca0f9fa9e5b4037182fd8350cb9f783caa90d4c
2e2b2b42ca06698c2e034ce202c2d887e86d4b33cb58fa7fbd5930ca87100d03
46401903e85a5c457490a6934ec4dc61fdf28df83af37741e1566a2abb290ecb
8153e737558eac52410687811599f072a3db9dbec31383983d1337ab6fdda77f
9506421d996290f70689559ee0c09cc074c948fff495478dab43f0d320fdaa20
c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
bca7a1fb84234ecba4c9c23ea3ed640d59b8be481197a76fa2c830ad1344a322
67ddef66c6c896706289e9797649228a86ffd88cb208662ecdeb8dbf8a937b18
SH256 hash:
f388b01845fd667e25d0c436bf8d5a0c49477559007dfc64c0c9a1be513d676b
MD5 hash:
0cc93c6c6e6b4817ad0e36aebf2502d7
SHA1 hash:
06f1e221784a2ca94d0066f838f71c83f050b08c
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1b6b3097-df6a-40b1-9edc-d4d74b83fe37/
Parent samples :
d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
bca7a1fb84234ecba4c9c23ea3ed640d59b8be481197a76fa2c830ad1344a322
SH256 hash:
d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1
MD5 hash:
9f9170d28c677db45ca2f70ac4978dfd
SHA1 hash:
c0d6310c5acb63d928c5baa632cc1255ec8e8ed1
Link:
https://www.unpac.me/results/1b6b3097-df6a-40b1-9edc-d4d74b83fe37/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d5841612d37d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.19
Link:
https://yomi.yoroi.company/submissions/d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe d5841612d37dc3f713e02b4ae2e71266aa504741f17891445a699a27bb32d0d1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/191495/

Comments


Avatar
zbet commented on 2021-09-25 09:59:09 UTC

url : hxxp://172.83.155.173/images/esmallruby.png