MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f05c92792d04b23c27f7be6a5fbb318c77acd998d2ada2823e0ae62d05adb0af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f05c92792d04b23c27f7be6a5fbb318c77acd998d2ada2823e0ae62d05adb0af
SHA3-384 hash: 199b3f88cb910bab823a4bebbab9f1c51f0a9d6efd4bde59780ece7a88a85ad17cf1b174e4866dd0c95cea89eb2d4f6e
SHA1 hash: 4ccc204ed78832d6cfe1774208f5482f1f210941
MD5 hash: 3b99e7fdd7a3927cc9bac3a41c005f27
humanhash: timing-high-sierra-fix
File name:3b99e7fdd7a3927cc9bac3a41c005f27
Download: download sample
Signature TrickBot
Create hunting rule
File size:454'656 bytes
First seen:2021-10-11 05:42:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f8cb6cf7a746c79f8c917be532cea46e (8 x TrickBot)
ssdeep 12288:+u3RFj7JkPFATjBoA9s6qJ2hhg0s5aBehO:+2FjaFATjCA26qJ27vVBehO
Threatray 4'058 similar samples on MalwareBazaar
TLSH T138A4E023F1E0C8F6D1A3117109E6A7B97776FC20CBB4D66723905A5E1C72A829627373
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b99e7fdd7a3927cc9bac3a41c005f27
Verdict:
Malicious activity
Analysis date:
2021-10-11 06:13:04 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/09a4eac2-3133-48ae-ac21-cbd59ce54d17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196440/
Detection(s):
Win.Dropper.Zusy-9901116-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/6163cee81c2d58ba74012bb2/reports/4c8a1abd-ea31-493e-9569-1b39584b637c/overview
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/868251
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f05c92792d04b23c27f7be6a5fbb318c77acd998d2ada2823e0ae62d05adb0af/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 05:43:05 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
226321291fa1d596e9a0dc89992fc3e36eb070d06c02df249593a3193d216ed3
TrickBot
3533489809de87c678e6f04202f369e771de084c3e41d363a6879cc46f2423a7
TrickBot
447f81782c5ec0ddd591a39b3312adacfca17ea97a161646f54ae7f3de334398
TrickBot
6c238a124150dc1298bd6a347e8628b51ca2d5ae04b0181270a5928aedc63ad9
TrickBot
c5529c964e7362a3ae3ffd0230d73253a491a38f70d2e88cc42abe8a246075b1
TrickBot
db1a302245edeb75f80886aab2dea319f68dbfa0061daac6e5a4a10ec179b00a
TrickBot
dd3b410927a1c9ee86cc61e70378c37f6cb9285f1da01ab0a07a182bfd4906aa
TrickBot
+ 4'048 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lip132 banker suricata trojan
Link:
https://tria.ge/reports/211011-gekp5sgebj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f05c92792d04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f05c92792d04b23c27f7be6a5fbb318c77acd998d2ada2823e0ae62d05adb0af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe f05c92792d04b23c27f7be6a5fbb318c77acd998d2ada2823e0ae62d05adb0af

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196440/

Comments


Avatar
zbet commented on 2021-10-11 05:42:12 UTC

url : hxxp://195.123.222.193/images/eresizebar.png