MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb
SHA3-384 hash:	ec210365723b02ba6fedcd33ca6ca0b67a0d18d9045a322af81a57bf9980c41b15e898b30dfa462a4eb7ef3089463b06
SHA1 hash:	a2ce7a730e96bf6c8f9cd512993fd67cf0c10767
MD5 hash:	e8b61b099af93918a7d59477334471e0
humanhash:	alaska-hot-cup-winner
File name:	49136 E2K 610622871149136 E2K 6106228711.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	823'691 bytes
First seen:	2023-01-10 09:00:40 UTC
Last seen:	2023-01-25 18:22:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d
Threatray	4'793 similar samples on MalwareBazaar
TLSH	T1D005AB801E41C89DE161CFF225B185B3C72E9FED2E38855E7614FF3667381AC971AA12
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0dcd4d4d4d4ccf0 (1 x TrickBot)
Reporter	cocaman
Tags:	exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

509

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

49136 E2K 610622871149136 E2K 6106228711.exe

Verdict:

Malicious activity

Analysis date:

2023-01-10 09:02:59 UTC

Tags:

autoit

Link:

https://app.any.run/tasks/46611376-7d0b-4310-9eb9-6220bea2f4c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/351438/

Detection(s):

SecuriteInfo.com.AIT.Trojan.Nymeria.5338.9858.21810.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Reading critical registry keys

DNS request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63bd295283a5ae8cb4a84bb2/reports/148ea7df-d322-4c78-b374-7c3ff27201d5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f29a4cb8-9f46-4250-82cc-a8882ef11d66

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1148577

Signature

Creates multiple autostart registry keys

Detected unpacking (creates a PE file in dynamic memory)

Found API chain indicative of debugger detection

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2023-01-10 09:00:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=45cwyv63urbkpzr7fpkf75n6nsawr4x47uk4lzafknx3hozbfxfq._file

Verdict:

malicious

Label(s):

trickbot

TrickBot

20139c79820552c3173bdfd0ff0ae7fefad18bd716bc3383bc1092eba1514e11

TrickBot

25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc

TrickBot

3c703c79f804220c6210cef1c0e98cd7cdce8848e84483b5d371e05f5edf02a5

TrickBot

4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698

TrickBot

df8573405d1b9e0d3bbd88adf1f5db88f8ced9d603b78b41881bd50de1d26cc5

TrickBot

e3f0cf7effaf970e55ce7b44afa66607f8126403523b609849339d551011480f

TrickBot

eba8797c9a35f0562ee9692d52b2b2bb168688ba41b0eb96d41584f06c49f012

TrickBot

fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37

TrickBot

+ 4'783 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/230110-kyxqlabc21/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b537a2a4-ae2f-4948-9364-09aaa1614c14

Unpacked files

SH256 hash:

62591c3a8ee628a9fe6b75630d62e43943396a110eab0202ab835f8efd8f8164

MD5 hash:

df37da5900f694ecf301b2fe277232bd

SHA1 hash:

b2b2dd5356484aaefda71ab9579f8dd1446bfbc8

Link:

https://www.unpac.me/results/e52c1833-b6ad-4434-9784-23128d010b49/

SH256 hash:

f3cc1bc2cd628cd9e3659c191975713a13251f3076f782ec1edfa30e4e0384ce

MD5 hash:

193a2a799cd6bf1189d7f81677d33524

SHA1 hash:

1be4605ccebf949148840ac4f21d8e7973de5c9b

Link:

https://www.unpac.me/results/e52c1833-b6ad-4434-9784-23128d010b49/

SH256 hash:

e439f02b72a882498d512689f380e1323c4d8342578fe8608e81061cf4a8aee1

MD5 hash:

3d90ab79b9719aded136b7cd437ebb21

SHA1 hash:

dbec6e868a293cb0bd58d35191b1423ab8942384

Link:

https://www.unpac.me/results/e52c1833-b6ad-4434-9784-23128d010b49/

Parent samples :

90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
cc7cb2ebb12103aea621ec7962819aced4680b4322bc213a9257b36c8f2dab3e
cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c
22f34cc0b56ea1709b3af15b41b43fc40fca2b77debb8400108d3f517ee2ed4a
607e8a91c76f444784c2cbc1090cf8724d882d9861641a1f6e0de6b2b9401859
2de4a8c16d3643a3c58c63f4e7df2836919316635c05718dac1e474b6eb7fe29
ec61895ef8af01ff00970e46f7ba98c24bf9079d71e09d3c18576f1a9efc93c2
c1955052a26634f3571423dc64d3fd10c55fdb27f29eb3afd292787693ffcf91
4d4f7a1cb34d5309e1c82e7110209c974a08b3e82eaaf7799d7d9a3a176132ca
48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
08ec22dd1d931a9d4194d5e46bc42914e62227c11e9fedce2175fe6a53eb4f92
6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8
7e18e5fe9e980c48ad67cc2ce7423e818e15c1256e2ffe4ce85c5cfbd5b30877
5dbc3e721cd340dd80bfa7d0127d920f5f2630aa4b3b3ecfb8d2af9f28f0e208
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
b69687c4b9aa0c1599840ea90562d3833367e8095addfc725fc2b52fad6ee565

SH256 hash:

e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

MD5 hash:

e8b61b099af93918a7d59477334471e0

SHA1 hash:

a2ce7a730e96bf6c8f9cd512993fd67cf0c10767

Link:

https://www.unpac.me/results/e52c1833-b6ad-4434-9784-23128d010b49/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

zip 8b739e545fc95b979031b1d173680e40804cdfae954553daad04f865571072a5

TrickBot

exe e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

(this sample)

Delivery method

Other

Dropped by

SHA256 8b739e545fc95b979031b1d173680e40804cdfae954553daad04f865571072a5

Cape

https://www.capesandbox.com/analysis/351438/

Dropped by

MD5 93c06fe98c490ca05ff794cc50b7fefa

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample