MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
TrickBot
Vendor detections: 10
| SHA256 hash: | e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb |
|---|---|
| SHA3-384 hash: | dfafb1ad80e5f9a0eae85354b9f5a29e3b4005d2ff4f9f21c501f9fbb7a16756601bb39b9dd932983b65b59c7ad0c489 |
| SHA1 hash: | 7264969d29c394596afc657523a6c5e3c4c1b609 |
| MD5 hash: | e392bc9976b03adcc58baf6c6829f786 |
| humanhash: | neptune-spaghetti-network-delta |
| File name: | e392bc9976b03adcc58baf6c6829f786 |
| Download: | download sample |
| Signature | TrickBot |
| File size: | 602'112 bytes |
| First seen: | 2021-10-19 15:23:58 UTC |
| Last seen: | Never |
| File type: |  dll |
| MIME type: | application/x-dosexec |
| imphash | a41e602f2bd2d3f2d246378f964f4626 (4 x TrickBot) |
| ssdeep | 12288:mpE9ujlV704/VaAvamomBZXfZcChftF0A61dZmwp22lFn42:8E0jlu4NawvhRF0rDp2OFnl |
| Threatray | 4'262 similar samples on MalwareBazaar |
| TLSH | T19ED4D003B2E0C036C2EF1234AD566B9576FDFC605AF5C687AB807B4D2E31AC15A35369 |
| File icon (PE): |  |
| dhash icon | 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT) |
| Reporter |  zbetcheckin |
| Tags: | 32 dll exe TrickBot |
Intelligence
File Origin
# of uploads :
1
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Verdict:
Malicious
Result
Threat name:
TrickBot
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Signature
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Detection:
trickbot
Threat name:
Win32.Spyware.TrickBot
Status:
Malicious
First seen:
2021-10-19 15:24:09 UTC
AV detection:
10 of 26 (38.46%)
Threat level:
2/5
Verdict:
malicious
Label(s):
trickbot
Similar samples:
+ 4'252 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Score:
10/10
Tags:
family:trickbot botnet:rob136 banker suricata trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
20ba144cbdba3238cc8228d892e916e6351a0f2be0cdabb7d94251f305273bcc
MD5 hash:
a933bc0f73dff2461239e83c7f1e25c9
SHA1 hash:
f35590e8506d63f21dada76efb4183d706db1dd2
SH256 hash:
26f76f22131d7c79defb400bc80755ca66cc1a072e3cb6e1613b8d780a171665
MD5 hash:
d09b00e792418eb8c2b5a52d0f2f2ac6
SHA1 hash:
b6706842a5cdbb3d4d49e664fa4caa49afc691ec
SH256 hash:
fe4113b32c3d774ac5210a04b6e0e339a93770edb97bfd004e1f5448ccba851d
MD5 hash:
4be9f19c34ee551f4c889f1c2f0fd469
SHA1 hash:
992d028dedbec8de291552613eccc39b96dd5d17
SH256 hash:
b2c4e3e3eacf501232242e9a340dfe29776ae79685e5cb7bdb25dcb168c793c3
MD5 hash:
5003d5e55f514b8f18d0c3b5d2942e2c
SHA1 hash:
5a197cabd54e8fdc40ee1bbce711ed3879d0089f
Detections:
win_trickbot_auto
Parent samples :
968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
af7526d30d40da60e83b0423f338f0740886321eadaae86ce16c10af44e44c3e
c0c4cf3a74e70f837e73f44ed95789946b02de457b6155ddc4e14a9441f92048
4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
f8cdd0190b5b1bc3a441e8298cdedec9f09bca6ff99ec0b461d7730985ffb78b
1455e78e95b8e3b9df5eb8d8d1703018c927694c6269e01f1b846abdfa054b82
65234c8a08c9a5e2e81af11e4be56eaee3ec00c9063069ab9d97770d6f31ba6b
af7526d30d40da60e83b0423f338f0740886321eadaae86ce16c10af44e44c3e
c0c4cf3a74e70f837e73f44ed95789946b02de457b6155ddc4e14a9441f92048
4f80d51a856dad4037a2de22d17ec77a3f6a8768c9d312f489f859f9cf4f0520
SH256 hash:
e1b7ffcc831b6b0ef56e665e5f0f8daee789b9426e8dce21e44fbbe9518acbdb
MD5 hash:
e392bc9976b03adcc58baf6c6829f786
SHA1 hash:
7264969d29c394596afc657523a6c5e3c4c1b609
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://195.133.192.72/images/aredplane.png