MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
SHA3-384 hash: 35759ba47a61697ec5efe7330e6d33a54ff27b034c5365cd1383644f110be1bc854d96ab663c1ff72c94fd8bf7efd621
SHA1 hash: 198c1b30071043ca49b6afc3fc1f6cd5002b30d3
MD5 hash: 76663c2524b2dcda6ad247c2c63262f5
humanhash: pasta-queen-west-tennessee
File name:ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
Download: download sample
Signature TrickBot
Create hunting rule
File size:456'704 bytes
First seen:2020-11-10 11:24:22 UTC
Last seen:2024-07-24 22:36:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fbbeecc27f4bf19d488ad6e4ca3b0e93 (2 x TrickBot)
ssdeep 6144:rmV+SaKwkSpOwLyF8oNQdMlJyPR8yyv20rHP3EdSvBXfpnSl3bDOp:r8+CwLyF8fC+x8rHP3EdaBXO3bD
Threatray 5 similar samples on MalwareBazaar
TLSH 2BA429D9C8026033DF092972CD8FF52FF10464C08E734EFDB69E4FB666A552A6425E29
Reporter seifreed
Tags:TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader27.17430.30422.29057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Changing a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529469
Signature
Allocates memory in foreign processes
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected Trickbot e-Banking trojan config
Disable Windows Defender notifications (registry)
Disables Windows Defender (via service or powershell)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 313832 Sample: IlxIwluIew Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 75 ipinfo.io 2->75 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 7 other signatures 2->103 10 IlxIwluIew.exe 1 28 2->10         started        14 JlxJwluJew.exe 2->14         started        signatures3 process4 file5 71 C:\Users\user\AppData\...\JlxJwluJew.exe, PE32 10->71 dropped 73 C:\Users\...\JlxJwluJew.exe:Zone.Identifier, ASCII 10->73 dropped 105 Disable Windows Defender notifications (registry) 10->105 107 Disables Windows Defender (via service or powershell) 10->107 109 Delayed program exit found 10->109 16 JlxJwluJew.exe 16 10->16         started        19 cmd.exe 1 10->19         started        21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        111 Injects a PE file into a foreign processes 14->111 25 cmd.exe 14->25         started        27 cmd.exe 14->27         started        29 cmd.exe 14->29         started        signatures6 process7 signatures8 83 Multi AV Scanner detection for dropped file 16->83 85 Machine Learning detection for dropped file 16->85 87 Writes to foreign memory regions 16->87 91 3 other signatures 16->91 31 svchost.exe 1 2 16->31         started        35 cmd.exe 1 16->35         started        39 2 other processes 16->39 89 Disables Windows Defender (via service or powershell) 19->89 41 2 other processes 19->41 43 2 other processes 21->43 45 2 other processes 23->45 47 2 other processes 25->47 49 2 other processes 27->49 37 conhost.exe 29->37         started        process9 dnsIp10 77 ip.anysrc.net 116.203.16.95, 49746, 80 HETZNER-ASDE Germany 31->77 79 24.247.181.226, 449 CHARTER-20115US United States 31->79 81 97.87.172.0, 449 CHARTER-20115US United States 31->81 93 Creates autostart registry keys with suspicious names 31->93 51 regini.exe 31->51         started        53 regini.exe 31->53         started        95 Disables Windows Defender (via service or powershell) 35->95 55 powershell.exe 23 35->55         started        57 conhost.exe 35->57         started        59 conhost.exe 39->59         started        61 conhost.exe 39->61         started        63 sc.exe 1 39->63         started        65 sc.exe 1 39->65         started        signatures11 process12 process13 67 conhost.exe 51->67         started        69 conhost.exe 53->69         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:28:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jvjwndlv4kffszdkp24adefwgtbgzjlsyuns3twzulvdxpmqkkq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
052264ad79e29dba2e4574f24d90fc15065de02685f4fc4a308c11e972bf72c1
TrickBot
23df6c7581b2fe80336763ab3f25db6fdd1c6249b01f75beb58793628eb0c615
TrickBot
261e6a161980bf628360fc371e791ccd31740ec571ebd523e742404e350ffb05
TrickBot
6952da5cbad1a97c504747baeb0f42391c78567b1f70bdeab2a8c60c1b28f39d
TrickBot
7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
TrickBot
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:del105 banker evasion persistence spyware trojan
Link:
https://tria.ge/reports/201110-23edcyqsfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Stops running service(s)
Trickbot
Malware Config
C2 Extraction:
82.202.212.172:443
24.247.181.155:449
24.247.182.39:449
213.183.63.16:443
74.132.133.246:449
24.247.182.7:449
71.14.129.8:449
198.46.131.164:443
74.132.135.120:449
198.46.160.217:443
71.94.101.25:443
206.130.141.255:449
192.3.52.107:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
108.160.196.130:449
23.94.187.116:443
103.110.91.118:449
188.68.211.211:443
75.108.123.165:449
72.189.124.41:449
74.134.5.113:449
105.27.171.234:449
182.253.20.66:449
172.222.97.179:449
72.241.62.188:449
198.46.198.241:443
199.227.126.250:449
97.87.172.0:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
64.128.175.37:449
24.227.222.4:449
Unpacked files
SH256 hash:
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
MD5 hash:
76663c2524b2dcda6ad247c2c63262f5
SHA1 hash:
198c1b30071043ca49b6afc3fc1f6cd5002b30d3
Link:
https://www.unpac.me/results/6f8d4927-28e0-42b6-8d37-265496a0463f/
SH256 hash:
e849ca04f610b9adc3b268b6014a32607f73aad4b46cda176c1eafc82ced2ef6
MD5 hash:
54fbc51bfd621b596a77b9a36b8dd913
SHA1 hash:
ec27b6f6a7ef68f5e0f1d016dc059645fe68e35b
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/6f8d4927-28e0-42b6-8d37-265496a0463f/
Parent samples :
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
SH256 hash:
01a65c5a2f8dc83eb2ecc5cc2daf2e978dd7621da3156599bcaaa338d32c26f9
MD5 hash:
84624e7f190a20210a80f1e2a1cdf3b3
SHA1 hash:
5471e88a4cbb806e248bb237550f9914cefeb297
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/6f8d4927-28e0-42b6-8d37-265496a0463f/
Parent samples :
ea6a9b346baf1452cb2353f5c00c85b1a613652b9628d96e76cd1751ddec8295
b544cd06c999f1312a5ecb6c25050c8608b8f9a2a46e40e12d70fddd88c22ecf
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TrickBot
Create hunting rule
Author:sysopfb & kevoreilly
Description:TrickBot Payload
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments