MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404
SHA3-384 hash: 91f8c2c5d6ef92b514c9c7a12174c5b719d2d4dfecabb744e4569692e854c83fb7b6d0c3c6a3bdca87cfe3237f759e23
SHA1 hash: 1e7b9af799048e4112d2468323c5c147e20558f9
MD5 hash: 4e4ae70b6346eae111e31716dc76bc23
humanhash: december-cold-hawaii-oranges
File name:ooiwy.pdf
Download: download sample
Signature TrickBot
Create hunting rule
File size:323'584 bytes
First seen:2022-10-02 15:30:34 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash ab2c68685bab8fd78cc7ca3dc94a8e95 (1 x TrickBot)
ssdeep 6144:v39GX5QjsakVCm+3OgNA0VEXf/DQEuOGAG:v65Qu/+egA0VutG
Threatray 10 similar samples on MalwareBazaar
TLSH T13D64F04772B6E027C14A1F7608C6D0B29BE17D48BAC589C67D8FB62C2D75D03A933297
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4505/5/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter Linkavych
Tags:dll TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
703
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315774/
Detection(s):
SecuriteInfo.com.Variant.Bulz.629338.2491.19513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c3bf668-86dd-4fbc-b7cd-baa4162737ab
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/835878
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468309 Sample: oo2.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 96 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Yara detected Trickbot 2->45 47 2 other signatures 2->47 8 loaddll32.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 8->12         started        15 rundll32.exe 8->15         started        17 cmd.exe 1 8->17         started        19 6 other processes 8->19 signatures5 57 Writes to foreign memory regions 12->57 59 Allocates memory in foreign processes 12->59 21 wermgr.exe 12->21         started        25 cmd.exe 12->25         started        27 wermgr.exe 15->27         started        29 cmd.exe 15->29         started        31 rundll32.exe 17->31         started        process6 dnsIp7 35 75.176.235.182, 443, 49706 TWC-11426-CAROLINASUS United States 21->35 37 128.201.76.252, 443, 49700, 49705 PedroFArrudaJuniorMEBR Brazil 21->37 39 8 other IPs or domains 21->39 49 May check the online IP address of the machine 21->49 51 Writes to foreign memory regions 21->51 53 Tries to detect virtualization through RDTSC time measurements 21->53 55 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 21->55 33 svchost.exe 21->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404/
Threat name:
Win32.Trojan.TrickBotCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 18:37:12 UTC
File Type:
PE (Dll)
Extracted files:
6
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jnhqaevomdqd35mm7u5loclyke272sw3fwyv74kisxwtltamqca._file
Verdict:
malicious
Similar samples:
06933c7b3bddbb3d920172216f4886e811397ef933665ff700b3539774e000d4
TrickBot
341186306bd4d9d32fa8e6cebaa58aba3756c9bfdc4d5bef3dd42acae7789fe8
TrickBot
6b62e970d1c770e694aaccad7d7b874895731ed5c7c6029be9f6badc3b533332
TrickBot
8ab49e939399e4dd51e665e119b4d76c12cae36b3c72bb8aedf9c2ef73903a78
TrickBot
f8f428981dcefad408ee7d4a0a855319cb36772b01476c7b385d372f8ac2ed16
TrickBot
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221002-sx2l6aebar/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404
MD5 hash:
4e4ae70b6346eae111e31716dc76bc23
SHA1 hash:
1e7b9af799048e4112d2468323c5c147e20558f9
Link:
https://www.unpac.me/results/5a142c56-3869-4932-83e9-00bf8bd3f832/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/315774/

Comments