MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5ead975f27590c7aa8e191ea9e413597542e0a665e6641f27e9011a18b3a4b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5ead975f27590c7aa8e191ea9e413597542e0a665e6641f27e9011a18b3a4b5
SHA3-384 hash: 07ab3893acf5ecd6dc73df46263659c9218612e2ed80bbd3efaf7442aa8329afa5e117db75e4a15da8288e94b6612a38
SHA1 hash: cbb3c687b8dc6301313b7e5461b0ec412341af37
MD5 hash: 52fdb95c1fbfaee2b64dcc1171372749
humanhash: india-ceiling-michigan-kansas
File name:52fdb95c1fbfaee2b64dcc1171372749.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:803'519 bytes
First seen:2020-09-11 05:36:19 UTC
Last seen:2020-09-11 06:43:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93dc88155a00ae749ca86929ba8dffd0 (23 x TrickBot)
ssdeep 12288:KbQ5Gmpe+jNBNF8KegmyC+cbGxRt4tIUcOWTFLR3q69zvEQIXE:KcFjZB38KeUC+cbYRt4UB9rhYE
Threatray 2'904 similar samples on MalwareBazaar
TLSH B0059E23AD40B44ADA0B0CB15DFD5A7918363C2164156D4BB2D5BE8C2CB2AD36DF932F
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Agent.EWFR.20028.20084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Connection attempt
Unauthorized injection to a system process
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/463843
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f5ead975f27590c7aa8e191ea9e413597542e0a665e6641f27e9011a18b3a4b5/
Threat name:
Win32.Trojan.TrickbotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-11 05:38:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xvns5psowimpkuodepktzatlf2ufyfgmxtgihzh5earugftus2q._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
05b662e6e0ee03a3e2b87b14fcda6e28f8e048b62f5baeb698068b85d83b1181
TrickBot
06e399b781a4c5a13d67764d76189854beb3699409a5c5809eede651ba0f7435
TrickBot
09489e108c5b049847f98b97af75418db20af15d9cd727b240b922954b626845
TrickBot
66b833cc53b7c8984cb521afbb3f91a64e045a2830bc2e456e91becc7d282179
TrickBot
6f4e027d6a43811701f9f73b69e77a83e51336457284fb7925dcbed71b13820c
TrickBot
7b3850e39e8474d1f218df0d2ba21a3315759ebed9b40957f6336d313103ffb6
TrickBot
8b2a8e5204ffb2fcf0b469a256a1d3b72618a66ad03ddd256210622bac56bae7
TrickBot
ad6ffe42e13f29cb042920e67867b886fddd40cfae44b5aba4e3331a582b4a0f
TrickBot
bea4a28914661d6b96f19150a9231d4718a4566ac737c2703c146dd04cf594b9
TrickBot
e8b03d2e2f16d44d8ce2272bb7f19c80c3006215b00624c79c204c70f54d1d83
TrickBot
+ 2'894 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
trojan banker family:trickbot
Link:
https://tria.ge/reports/200911-jdgchh842s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
51.89.177.20:443
194.5.249.174:443
107.174.196.242:443
185.205.209.241:443
82.146.46.220:443
5.34.178.126:443
212.22.70.65:443
195.123.241.90:443
185.164.32.214:443
198.46.198.139:443
195.123.241.187:443
86.104.194.116:443
195.123.240.252:443
185.164.32.215:443
45.148.120.195:443
45.138.158.32:443
5.149.253.99:443
92.62.65.163:449
88.247.212.56:449
180.211.170.214:449
186.159.8.218:449
158.181.155.153:449
27.147.173.227:449
103.130.114.106:449
103.221.254.102:449
187.109.119.99:449
220.247.174.12:449
183.81.154.113:449
121.101.185.130:449
200.116.159.183:449
200.116.232.186:449
103.87.169.150:449
180.211.95.14:449
103.36.48.103:449
45.127.222.8:449
112.109.19.178:449
36.94.33.102:449
110.232.249.13:449
177.190.69.162:449
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5ead975f27590c7aa8e191ea9e413597542e0a665e6641f27e9011a18b3a4b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe f5ead975f27590c7aa8e191ea9e413597542e0a665e6641f27e9011a18b3a4b5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/58582/
  
URLhaus
https://urlhaus.abuse.ch/url/459871/
  
Delivery method
Distributed via web download

Comments