MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e70a5e9914839c1e78c02c39ef366762f6d3df3a3686a09359e7922ba6913964. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e70a5e9914839c1e78c02c39ef366762f6d3df3a3686a09359e7922ba6913964
SHA3-384 hash: c9e214ebb590cee378a06c9da2a76beb232605c7629625f1b32ad0f7ca588da4be2c317ece0c370df68b6e63346521a3
SHA1 hash: 4602f57303c39520aa52fdf97032536f2fb283d6
MD5 hash: 773508ddf0184cf2cb086bd9e9f441fd
humanhash: enemy-kilo-fifteen-july
File name:5794345.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:661'106 bytes
First seen:2020-04-13 18:47:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 77641b1a9a74689e5f33d94db11cc4e1 (3 x TrickBot)
ssdeep 12288:TO/iSQWM1dA/IkCds5otVs4nKpfWeGAX9sEEyC:TaiSQbogkus+tVs4nKpuer9sE
Threatray 2'887 similar samples on MalwareBazaar
TLSH 06E46D18B382DF31C85658FAAD22C2981967EC5617358CC7BACC2BECD7366C1E631749
Reporter abuse_ch
Tags:exe TrickBot


Avatar
abuse_ch
Malspam distributing TrickBot:

HELO: smtp73.iad3a.emailsrvr.com
Sending IP: 173.203.187.73
From: antunezmariar@gmail.com
Subject: Statement 229713
Attachment: anna.guola-229713.xls

TrickBot payload URL:
https://faog.org.hk/scanner/overwatch.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1218/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Generic.mg.4888fe8e2bd06b4b.16102.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Trickbot
Create hunting rule
Status:
Malicious
First seen:
2020-04-13 19:35:31 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=44ff5giuqoob46gafq466nthml3nhxz2g2dkbe2z46jcxjurhfsa._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
2d0d08b27eec389f3edd036b4bb4ded2c24500bf53dba2a3a46eb2ecd36105e6
TrickBot
764553cbeade2cc41c018b08fb22381a32a6c475b86353458d8fbc1aab86afeb
TrickBot
80d162a9d3998938dbf4e82b4411c7aebf3365bef53412c622de318062da3c70
TrickBot
9e91c4019c91b12e04bff20bf3418ddb84e29ff54f275293b1cec9688ba18441
TrickBot
aa816907cbe55fb2e170741297322bdfecc1e68b7f0420fc0459f4d57a395a86
TrickBot
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
TrickBot
bde211630a1bf959caa59f585baf9c2cf1f8eaaa4dbe53f0c9ed7d1c083f0088
TrickBot
c2d499169a652c5c86ef28b7dca25f23e986bdd93b23fe02115923f698d61b58
TrickBot
da995f78d6ba4f7acab4a421e759cc15d2a3b8ca5549edd76605252e410d65ac
TrickBot
f8b31cf177d5a4de939ee8c19d629df9548ac33721c47c66d71bc376922ec259
TrickBot
+ 2'877 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xls 2aeb4962cb5a1eafea081db535faec542a3156b2a65294a4d7dbf0e108b830bf

TrickBot

Executable exe e70a5e9914839c1e78c02c39ef366762f6d3df3a3686a09359e7922ba6913964

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/339716/
  
Dropped by
MD5 540cb91db9cbbc938878c325c1c41877
  
Dropped by
SHA256 2aeb4962cb5a1eafea081db535faec542a3156b2a65294a4d7dbf0e108b830bf
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/1218/
Cape
Cape
https://www.capesandbox.com/analysis/1212/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments