MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5ba8da01ea323a4e61c8fd7dbf122f86b9afbaac0e48add9b14ee424549eee9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5ba8da01ea323a4e61c8fd7dbf122f86b9afbaac0e48add9b14ee424549eee9
SHA3-384 hash: b7c2e703b910967b72dd32e9b1e7587c12b3e595febc2deb9538a737957fea4afa64fc5c7b775073304c7433712492cf
SHA1 hash: b00c9cb7e1cf75355db27a01ea295d7412bdca2a
MD5 hash: 33393db77041225a87c97454afddf413
humanhash: leopard-gee-stairway-cola
File name:9669cddst.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:338'654 bytes
First seen:2020-08-06 09:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a8c5544cd24df05aabef0164d767361 (413 x TrickBot)
ssdeep 6144:C12iazhHebQnUuPYhVY0YNrkcPdN09Qj8uytOItBwfwzvsmI3WEaCoqNSoIDcTf7:C12tuQPPwYycd0iKDwCv01oqNS1DcTf7
Threatray 5'112 similar samples on MalwareBazaar
TLSH B874F102E5C74C3AD2656435063D3971DAB8DF1417BD9B2376C8C96B2899888DF3EB0B
Reporter JAMESWT_WT
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40788/
Detection(s):
SecuriteInfo.com.Variant.Zusy.310686.15496.3744.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Delayed writing of the file
Deleting a recently created file
Launching a process
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/413347
Signature
Allocates memory in foreign processes
Delayed program exit found
Found malware configuration
Machine Learning detection for sample
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5ba8da01ea323a4e61c8fd7dbf122f86b9afbaac0e48add9b14ee424549eee9/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 09:25:32 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2w5i3ia6umr2jzq4r7l5x4jc7bvzv65kydsivxm3ctxeerkj53uq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1d09828ae5db07bbb421259cdeda0ee597cc1b5c5377ef7b05ee307814ecb9fc
TrickBot
2950bf30dac3ff3f0c287b86a50a0eb2260c3e637e60cb0c5bf42a4dd5347738
TrickBot
352ea94d9fdb88e620f9ae795f810ab70e9b0c4e5c49afb40014c814045b853e
TrickBot
4d626408b478dcfb8a8b7ea673ae1cfcd706f860adad35fa1e56873d96d00b43
TrickBot
758fb4cebdfa9af4fe610365837d5b427cf8bcde69e2680342e3a8aa47677507
TrickBot
75b2e7fc7a83b5d8c0a0613063bb85e95f0140b30351bba50a20b8c0df12292f
TrickBot
7e583c93312343cdae6b536e554bb45b66445e570c8bd0cede093bd6d22d5c2f
TrickBot
b7aee757fb6ba5fd426035c852ac844350fb3e3739bba2237c34c016ef9f90e7
TrickBot
cf7b15e69279ced1c1732d2c74e92897be137ec454127677bfb677b91b891efb
TrickBot
e9b27da1ec3f6f1526498a02162e2bb246043da68f68f1a16b07c8f520a22a97
TrickBot
+ 5'102 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
dave trojan banker family:trickbot
Link:
https://tria.ge/reports/200806-l6q83lc54n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Dave packer
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d5ba8da01ea323a4e61c8fd7dbf122f86b9afbaac0e48add9b14ee424549eee9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe d5ba8da01ea323a4e61c8fd7dbf122f86b9afbaac0e48add9b14ee424549eee9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/425048/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/40788/

Comments