MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1
SHA3-384 hash:	c3b80d15cac65d0c30828fa2d0cdebea6a1028952c77a081a66f985666e5de3188883879082cba50f6a0581bb8281d4f
SHA1 hash:	159245e3d6461ca10d8cd49371554d7bf00f44e4
MD5 hash:	66360f7753b50ab9fcbc03d51e1ce0b6
humanhash:	delaware-spring-pluto-kentucky
File name:	http___192.236.160.84_images_darkmoonlite.png.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	550'912 bytes
First seen:	2021-07-09 06:57:28 UTC
Last seen:	2021-07-09 08:05:49 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	afa2ec665dcca67fcd2e07f1a276b8c0 (2 x TrickBot)
ssdeep	6144:gb7y19WiGXncPH94/0EVruP8e7BSi3rdgEfrJgqZDB+8EGerYpt8ftwaMU3B6lex:AncPH2/0EVA7B5aVNG5z81S86lZ/i3
Threatray	802 similar samples on MalwareBazaar
TLSH	T12EC4BF1076C0C431D1AE2635552AD7BA66E9BD309BF5C2C7BFC03A7D6E311C29A3835A
Reporter	Racco42
Tags:	dll exe TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

188

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/170616/

Detection(s):

SecuriteInfo.com.UDS.Trojan.Win32.Trickpak.gen.417.31929.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b57c425-64ae-4a32-9a2d-be77a96ab4fa

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/813874

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

trickbot

Link:

https://mwdb.cert.pl/sample/f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1/

Threat name:

Win32.Infostealer.Trickster

Status:

Malicious

First seen:

2021-07-09 06:58:12 UTC

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:trickbot botnet:rob104 banker trojan

Link:

https://tria.ge/reports/210709-v7hbqw27b6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

38.110.103.124:443
185.56.76.28:443
204.138.26.60:443
60.51.47.65:443
74.85.157.139:443
68.69.26.182:443
38.110.103.136:443
38.110.103.18:443
138.34.28.219:443
185.56.76.94:443
217.115.240.248:443
24.162.214.166:443
80.15.2.105:443
154.58.23.192:443
38.110.100.104:443
45.36.99.184:443
185.56.76.108:443
185.56.76.72:443
138.34.28.35:443
97.83.40.67:443
38.110.103.113:443
38.110.100.142:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
38.110.100.33:443
38.110.100.242:443
185.13.79.3:443

Unpacked files

SH256 hash:

8293a938479318e0e5fe1e46aef8957529a3385e4b01eb3966f251675c2207ad

MD5 hash:

ceea12ceb82dd0289a73a9632d87934c

SHA1 hash:

c2d06da72c804b98037db483a7601c3c052537ee

Link:

https://www.unpac.me/results/cc2920d4-eb5d-464f-8cfc-aaa59bd260c8/

SH256 hash:

216e35508763370c2c1fa3bcefd7a787ce0ae6846fae62d3e64e9983465e788e

MD5 hash:

ddb11882183bfe35b4fbf6f3d402f211

SHA1 hash:

a4c59b0e60d3835ff5a9783bc0c0866ab8801778

Link:

https://www.unpac.me/results/cc2920d4-eb5d-464f-8cfc-aaa59bd260c8/

SH256 hash:

aee959a3d2962de94ee5821868fd04abb79569314598ade2fb3cdf57826742e4

MD5 hash:

e4e7d246804b8dcceab9f33c9ce78abb

SHA1 hash:

7593140339ef9e3c603ac67af4d9e8bfb94b9e1c

Link:

https://www.unpac.me/results/cc2920d4-eb5d-464f-8cfc-aaa59bd260c8/

SH256 hash:

720f872f49e27bac70945be2dddc622b7af809da380d05e7e5e7b1f71e26fdee

MD5 hash:

a8b2f44a07f3f2c154a99c0fb9f53a4e

SHA1 hash:

264450f05308ba25bb48f58027f2398219f85755

Detections:

win_trickbot_a4

win_trickbot_auto

Link:

https://www.unpac.me/results/cc2920d4-eb5d-464f-8cfc-aaa59bd260c8/

SH256 hash:

f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1

MD5 hash:

66360f7753b50ab9fcbc03d51e1ce0b6

SHA1 hash:

159245e3d6461ca10d8cd49371554d7bf00f44e4

Link:

https://www.unpac.me/results/cc2920d4-eb5d-464f-8cfc-aaa59bd260c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7c5108265f1b5b0140dddcbf9f2548214a43bdaa2cdaa251e72f1c64dbc2bf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/170616/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample