MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
SHA3-384 hash: 4526274b6fcd1d3837c7b1caa4d29c2cdc99e222b003260ce253edb385af8b7220baeee25d779fd15d431b454259ebdb
SHA1 hash: 64cb9f5da3ddc769b438c43b994e47487c744cd2
MD5 hash: 0739c8b902eb6b89666d31b744eeb90e
humanhash: solar-glucose-violet-muppet
File name:saved.png
Download: download sample
Signature TrickBot
Create hunting rule
File size:442'496 bytes
First seen:2021-01-05 23:56:16 UTC
Last seen:2021-01-06 02:12:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55754e7c2ff4111726a0287744b2114b (2 x TrickBot)
ssdeep 6144:koMgXsS8vVr0uBuz7KGW3yv8/fk2SvpLBxGxDDhKg9T0/Q1HN29GBPJs780YWmP/:kopx2ou0aY40/yU4Rs7MWcZj
Threatray 2'995 similar samples on MalwareBazaar
TLSH B29402E667D1BC27F1554CF8929FBFB92608592A4F4C518720907D3EA1B50A2EC32E1F
Reporter malware_traffic
Tags:exe tot5 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
saved.png
Verdict:
Malicious activity
Analysis date:
2021-01-05 23:47:04 UTC
Tags:
evasion trojan trickbot loader stealer
Link:
https://app.any.run/tasks/3418f802-d5b7-489f-ad7e-647142d190d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110635/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Trickbot.gm.30556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574705
Signature
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336410 Sample: saved.png Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Found malware configuration 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 6 other signatures 2->92 10 saved.exe 4 2->10         started        14 saved.exe 1 2->14         started        process3 file4 60 C:\Users\user\AppData\Roaming\...\saved.exe, PE32 10->60 dropped 62 C:\Users\user\...\saved.exe:Zone.Identifier, ASCII 10->62 dropped 102 Detected unpacking (changes PE section rights) 10->102 16 saved.exe 1 10->16         started        19 conhost.exe 10->19         started        104 Writes to foreign memory regions 14->104 106 Allocates memory in foreign processes 14->106 21 conhost.exe 14->21         started        23 wermgr.exe 14->23         started        signatures5 process6 signatures7 78 Multi AV Scanner detection for dropped file 16->78 80 Detected unpacking (changes PE section rights) 16->80 82 Machine Learning detection for dropped file 16->82 84 2 other signatures 16->84 25 wermgr.exe 1 16->25         started        process8 dnsIp9 70 149.54.11.54, 449, 49743, 49747 GCN-DCN-ASAFGHANTELECOMGOVERNMENTCOMMUNICATIONNETWORKA Afghanistan 25->70 72 36.89.193.181, 447, 49748, 49762 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 25->72 74 6 other IPs or domains 25->74 94 Hijacks the control flow in another process 25->94 96 Writes to foreign memory regions 25->96 98 Tries to detect virtualization through RDTSC time measurements 25->98 100 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 25->100 29 cmd.exe 11 25->29         started        34 cmd.exe 1 25->34         started        signatures10 process11 dnsIp12 76 186.47.209.222, 443, 49763, 49798 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 29->76 64 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 29->64 dropped 66 C:\Users\user\AppData\...\Login Data.bak, SQLite 29->66 dropped 68 C:\Users\user\AppData\Local\...\History.bak, SQLite 29->68 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 29->108 36 conhost.exe 29->36         started        110 Performs a network lookup / discovery via net view 34->110 38 net.exe 1 34->38         started        40 ipconfig.exe 1 34->40         started        42 net.exe 1 34->42         started        44 4 other processes 34->44 file13 signatures14 process15 process16 46 conhost.exe 38->46         started        48 net1.exe 1 38->48         started        50 conhost.exe 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 44->56         started        58 conhost.exe 44->58         started       
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785/
Threat name:
Win32.Trojan.Deapax
Create hunting rule
Status:
Malicious
First seen:
2021-01-05 23:57:04 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wg6uu4bu73mpaiiubbujxdt2vtjnefx5t7g4rfsyylipirqm6cq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
02a31022e1e829f4d6f854ad5c8c03fd0350dfb5b1f74b585dcf419711e185d4
TrickBot
0f252d0b4a20555653ca22dcc8141dfeca1091d8dadbb5c98f2c7b3884ee0009
TrickBot
1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10
TrickBot
3a214b848b9d317e2c8dfdc7a2e55ee7893b6e4aadc335992d3425480c7eb8b6
TrickBot
449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93
TrickBot
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
TrickBot
6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5
TrickBot
7d974d5a314a19adf76cdd29618acbfb6a61d1cbbdf150ca1c62b88cda9e79dc
TrickBot
93b3b0800018230f58cad9b4ec1d13e9336f0f46062dd49bc43a9394c1bdd1b4
TrickBot
f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee
TrickBot
+ 2'985 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot5 banker trojan
Link:
https://tria.ge/reports/210105-jcxqfsw6r2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
MD5 hash:
0739c8b902eb6b89666d31b744eeb90e
SHA1 hash:
64cb9f5da3ddc769b438c43b994e47487c744cd2
Link:
https://www.unpac.me/results/71796b8b-e73d-4aae-bf45-e72266f05aca/
SH256 hash:
8ce645abd8b895b134d1a93cd7f031e54dbf0cfcb3261560d9cf06d50c984b19
MD5 hash:
3c45825ffb2499fb231c58ba12bff899
SHA1 hash:
096f4a180b5627af1e93692dabad92c492ad8373
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/71796b8b-e73d-4aae-bf45-e72266f05aca/
Parent samples :
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
f96104fbecd8ab4cc3f88df6619c13b99b28b2b7923a4b0e1bce6ff062d93b68
SH256 hash:
643524638c3b67912474c4e92021ead9afc8b51b8c25b1874ceb9006eceff7e9
MD5 hash:
bf973550762b0b6e6a446c2abebc3f7b
SHA1 hash:
217dbba1fa53cbb58468797d2a75027ed8012fb3
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/71796b8b-e73d-4aae-bf45-e72266f05aca/
Parent samples :
ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785
f96104fbecd8ab4cc3f88df6619c13b99b28b2b7923a4b0e1bce6ff062d93b68
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed8dea5381a7f6c78108a04344dc73d5669690b7ecfe6e44b2c61687a2306785

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/110635/

Comments