MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18
SHA3-384 hash: f6dccb4621903571dfff5d4477b8f8247f2dcd7057c8d1cc7001d84082a5cbde40fb783b8c42a3677437b7cb02ce97dc
SHA1 hash: d903ed9cc476b50e21bfe6dcf392c589235ea075
MD5 hash: b14dd93fd45b731b228ee4715085cbc5
humanhash: magazine-shade-robert-florida
File name:b14dd93fd45b731b228ee4715085cbc5
Download: download sample
Signature TrickBot
Create hunting rule
File size:507'904 bytes
First seen:2021-10-05 08:16:23 UTC
Last seen:2021-10-05 09:01:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e38afb91bac491f7825e4d9386ac015b (4 x TrickBot)
ssdeep 12288:J1YWEJFGqCu7+K+1A8uKQfL/g8g54yXsJ/20V/YnOcy:J1YWEJFGqd7++bgNtsJ/5i5y
Threatray 3'965 similar samples on MalwareBazaar
TLSH T114B4F10277D584B3DA62643209EAA77AB774BD554A32CF87A354FF0CDC31240993B36A
File icon (PE):PE icon
dhash icon 02505e151a0d0008 (5 x TrickBot)
Reporter zbetcheckin
Tags:32 exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b14dd93fd45b731b228ee4715085cbc5
Verdict:
Suspicious activity
Analysis date:
2021-10-05 08:20:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b48e451-fd87-43e5-a153-48ddc20bcab5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194937/
Detection(s):
SecuriteInfo.com.W32.Emotet.AHQ.genEldorado.8834.5058.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/615c0ceee3d213d202b76e95/reports/1281aeab-8e9e-4a11-8c76-c5970ffcf6c5/overview
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a59f105-a3ff-4d1f-8f3e-1a4f1d191a87
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/864576
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 08:17:15 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
3222c4bd58311ea4b19245c446cf2088c12824b73d643b3a12b153bc3d818e35
TrickBot
3cdd741fb186596e2c6654737c86f6143b6c130a3f51333346e252f74dafc78e
TrickBot
78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20
TrickBot
9a5d5f4144492833b2f5368bf39154e0a5d60914afccbfde1db93cf0cd9db000
TrickBot
abd7a64e1bf9248c1e53f32ea222a1e448132346edb55a3dbca55354bc3488d1
TrickBot
b88d012225e5e8af014bea93cd04c3655f9b46c77f06557a857868ceda46153a
TrickBot
c6ea628cd3252582504cdfd64aafd7f44711822c90d0ac1e3deddb7fa3ece997
TrickBot
d123ffe07c4db0343645678c0ea21a4201debded89f22ca043cf336a77f6a082
TrickBot
d76bcc765a822ded81cf1518ab3d65e08cc42ccf946d9381d1115934abe6fed5
TrickBot
d8dd18ebca4bef772398f5d84179ef8b68b9f56e2a1973f872006ec32a64df15
TrickBot
+ 3'955 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lib158 banker trojan
Link:
https://tria.ge/reports/211005-j6rzmshdh2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
Unpacked files
SH256 hash:
5a9be4eaf09608265f1453327b6f5d3936061c1a5de7ea51b9dc05898d7134fb
MD5 hash:
6133558624bb2cba20f13bff119d8329
SHA1 hash:
a650f5f7c81fe831830b0638ee899aa7ba0d4cf2
Link:
https://www.unpac.me/results/d92e6fc5-546b-4fe8-9792-696411a8ef45/
SH256 hash:
54c7beba95c3e2faed426b0f0ef2a40db8dc525b1b09faa70d6c445a3bbd0c4d
MD5 hash:
e734d9cb9b35de8e5487522fcc4de04f
SHA1 hash:
75c1c4b668c09727959cb227654dcc41e9904ea8
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/d92e6fc5-546b-4fe8-9792-696411a8ef45/
Parent samples :
78467352d7034224d72a7846e1ce2102d2b7e31aa85d72383694c8bc51937f20
f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18
SH256 hash:
1a8ebe5819afa0462047bfde05715cec279a6a6bdf28323edc12f82bf3982548
MD5 hash:
ecba0b2635ef500288d868912196f86c
SHA1 hash:
730f00f6252179fa05704906ba5cba782c7d8c26
Link:
https://www.unpac.me/results/d92e6fc5-546b-4fe8-9792-696411a8ef45/
SH256 hash:
f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18
MD5 hash:
b14dd93fd45b731b228ee4715085cbc5
SHA1 hash:
d903ed9cc476b50e21bfe6dcf392c589235ea075
Link:
https://www.unpac.me/results/d92e6fc5-546b-4fe8-9792-696411a8ef45/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f5b2a9d72565/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe f5b2a9d72565eee864ecd613e63882d5c12145dd71a85f44ca451cbea110ce18

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194937/

Comments


Avatar
zbet commented on 2021-10-05 08:16:24 UTC

url : hxxp://51.195.192.116/images/eflyairplane.png