MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee
SHA3-384 hash:	14b25037d0715bb71adb1cf8971cc5f5956d1ae378506eaec858336270f2956c0cc3a2cc96046d624bdf5056088e71fa
SHA1 hash:	bab6aa3b076c6f956191c406047df30c73eb46db
MD5 hash:	9249937f8b65eeaef25cf49a86b8e1c7
humanhash:	golf-idaho-spring-william
File name:	SecuriteInfo.com.Variant.Razy.820175.1205.12418
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	626'688 bytes
First seen:	2020-12-30 04:46:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3e4de0cd8bd30fa08ee6154c7cfb846b (13 x TrickBot)
ssdeep	6144:tQHWQDoP0QHWprreasugBGl0TaY4V4x/JUc5El1V0J3Tclf:tEDX4asuKGSmY4CxhUc5El1iZg
TLSH	BAD4CF616FD4E901F1294872143B9BB85A353C22AC264D17E369FE4C2CB99D72DE231F
Reporter	SecuriteInfoCom
Tags:	TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Razy.820175.1205.12418

Verdict:

Suspicious activity

Analysis date:

2020-12-30 04:49:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c4621f89-fccb-4e85-a247-dd47ffe40c10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/109899/

Detection(s):

SecuriteInfo.com.Variant.Razy.820175.1205.12418.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Sending a UDP request

Deleting a recently created file

Launching a process

Connection attempt

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/571821

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee/

Threat name:

Win32.Trojan.Trickpak

Status:

Malicious

First seen:

2020-12-30 04:47:05 UTC

AV detection:

15 of 48 (31.25%)

Threat level:

5/5

Verdict:

malicious

Label(s):

emotet

trickbot

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:mor6 banker trojan

Link:

https://tria.ge/reports/201230-3atwl53t4s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

103.231.115.106:449
117.222.63.100:449
117.254.58.83:449
149.54.11.54:449
170.82.4.64:449
177.11.12.93:449
182.16.187.251:449
187.108.86.48:449
190.152.88.57:449
203.88.149.33:449
36.89.191.119:449
41.159.31.227:449
85.202.128.243:449
92.204.160.82:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.48:449
102.164.208.44:449

Unpacked files

SH256 hash:

f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee

MD5 hash:

9249937f8b65eeaef25cf49a86b8e1c7

SHA1 hash:

bab6aa3b076c6f956191c406047df30c73eb46db

Link:

https://www.unpac.me/results/55fdcbb3-8254-49a0-bbb4-9748ca899128/

SH256 hash:

6b75bd037b09228db68b94055a95c45391230f0b8a6781fed3ed4ea6e9f64be5

MD5 hash:

81754f8e9051b8d56e615ca4f2ac7a34

SHA1 hash:

85f25e57d6e335bf1d95f857b086d4ced64f5e9c

Link:

https://www.unpac.me/results/55fdcbb3-8254-49a0-bbb4-9748ca899128/

SH256 hash:

6ca52db23699fc9a3bbc8d05b6fc760a99026c140bcec305a36115b841472ef6

MD5 hash:

ab05446920565536824b3b23371f82e9

SHA1 hash:

91ab593b6840a9ffb0da0455c095cbf757c835e2

Detections:

win_trickbot_a4

win_trickbot_auto

Link:

https://www.unpac.me/results/55fdcbb3-8254-49a0-bbb4-9748ca899128/

Parent samples :

51c2e947522399b8074d5862d8d32257264ae8e39f1d07923085e7b96821109f
f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee
7d974d5a314a19adf76cdd29618acbfb6a61d1cbbdf150ca1c62b88cda9e79dc
3a214b848b9d317e2c8dfdc7a2e55ee7893b6e4aadc335992d3425480c7eb8b6
02a31022e1e829f4d6f854ad5c8c03fd0350dfb5b1f74b585dcf419711e185d4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trickbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/109899/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample