MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
SHA3-384 hash: 3fc7889e6c8856d1205e14fff8b207502dc275d1a4ccbe60955c8d23a9bf1ee1b9bb7e4cada36ee59d8aab1064901e2f
SHA1 hash: 26847a08f6e0504aff926b6278b2b8efdc90036a
MD5 hash: b9ab9ac3b5335fdca292acb7ca85eb14
humanhash: delaware-moon-may-magnesium
File name:uploads[1].png.0.dr
Download: download sample
Signature TrickBot
Create hunting rule
File size:1'339'169 bytes
First seen:2021-01-21 12:42:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:OQLny3OiG7O5fWcmCM4jBg0nWDqVXF1/Vz897cDH6WboJVIb90Ijg:OQLy3Z5ecmCMqhnllLNgIHjbiIb9S
Threatray 35 similar samples on MalwareBazaar
TLSH BF55DF337CAC479DC8901B73DD93E27116AE2E5B5AF2C10650F66F878BF01989016F9A
Reporter j_dubp
Tags:TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
uploads[1].png.0.dr
Verdict:
Malicious activity
Analysis date:
2021-01-21 12:34:34 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/46cb4ed8-0ee5-439d-b730-0439269c2152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113281/
Detection(s):
SecuriteInfo.com.Gen.Variant.MSIL.Krypt.11.1240.9175.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Creating a process from a recently created file
Deleting a recently created file
DNS request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/587229
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample is not signed and drops a device driver
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342642 Sample: uploads[1].png.0.dr Startdate: 21/01/2021 Architecture: WINDOWS Score: 92 65 Multi AV Scanner detection for submitted file 2->65 67 Obfuscated command line found 2->67 69 Uses ping.exe to sleep 2->69 71 3 other signatures 2->71 11 uploads[1].png.0.exe 1 6 2->11         started        15 rundll32.exe 2->15         started        process3 file4 55 C:\Users\user\AppData\Local\...\Appare.sys, data 11->55 dropped 81 Sample is not signed and drops a device driver 11->81 17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        signatures5 process6 signatures7 22 cmd.exe 2 17->22         started        25 conhost.exe 17->25         started        27 certutil.exe 2 17->27         started        73 Submitted sample is a known malware sample 19->73 29 conhost.exe 19->29         started        process8 signatures9 75 Obfuscated command line found 22->75 77 Uses ping.exe to sleep 22->77 31 Tua.com 22->31         started        33 PING.EXE 1 22->33         started        36 findstr.exe 1 22->36         started        39 certutil.exe 2 22->39         started        process10 dnsIp11 41 Tua.com 31->41         started        57 127.0.0.1 unknown unknown 33->57 53 C:\Users\user\AppData\Local\Temp\...\Tua.com, Targa 36->53 dropped file12 process13 dnsIp14 59 rrrioYNbTRzfc.rrrioYNbTRzfc 41->59 79 Injects a PE file into a foreign processes 41->79 45 Tua.com 1 41->45         started        signatures15 process16 signatures17 83 Writes to foreign memory regions 45->83 85 Allocates memory in foreign processes 45->85 48 wermgr.exe 45->48         started        51 wermgr.exe 45->51         started        process18 signatures19 61 Tries to detect virtualization through RDTSC time measurements 48->61 63 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 48->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-21 12:43:05 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
TrickBot
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
TrickBot
1db0242b6f7de2919880e833801ce2b48bbf83c136235a537b17211e1193d611
TrickBot
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
TrickBot
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
TrickBot
890640a258f6876bf27452acbb0e0eaf4a3286f1bca30bc02822d30052a0eeaa
TrickBot
97aa05fceef261ee4ca00025a69280b8f9843ba6531a48ee543eed1f37af8c27
TrickBot
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
TrickBot
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
TrickBot
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
TrickBot
+ 25 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob1 banker persistence trojan
Link:
https://tria.ge/reports/210121-edx8qfxjt2/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
85.204.116.83:443
91.200.100.143:443
83.151.14.13:443
107.191.61.39:443
113.160.129.15:443
139.162.182.54:443
139.162.44.152:443
144.202.106.23:443
158.247.219.186:443
172.105.107.25:443
172.105.190.51:443
172.105.196.53:443
172.105.25.190:443
178.79.138.253:443
192.46.229.48:443
207.246.92.48:443
216.128.130.16:443
45.79.126.97:443
45.79.155.9:443
45.79.212.97:443
45.79.253.142:443
45.79.90.143:443
66.42.113.16:443
85.159.214.61:443
Unpacked files
SH256 hash:
dc16be77d3434dd6281bdee41dcd4f78b09a36de7b8af5db5d12e27b84300d61
MD5 hash:
bbc70539b895231d77fdfa9cf4a26504
SHA1 hash:
dd7c5a760eb8008b67dba0aa5cb4ccc2f6910ad7
Link:
https://www.unpac.me/results/301d4c53-6d8a-410f-8916-62be801a42c3/
SH256 hash:
d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
MD5 hash:
b9ab9ac3b5335fdca292acb7ca85eb14
SHA1 hash:
26847a08f6e0504aff926b6278b2b8efdc90036a
Link:
https://www.unpac.me/results/301d4c53-6d8a-410f-8916-62be801a42c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Executable exe d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea

(this sample)

anyrun
any.run
https://app.any.run/tasks/46cb4ed8-0ee5-439d-b730-0439269c2152
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113281/

Comments