MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a
SHA3-384 hash: 349296ac62fd4f8c0a87b72ecbbe176ad08f13a019e003bb45561d0d4d139769ec4b0760da211ba65e9593b57ef5c6f4
SHA1 hash: 370c41621880d5faac4748f60715ffb7239c4aef
MD5 hash: 20a5f23c27f0aec0cf6e49b305617a80
humanhash: edward-white-victor-double
File name:20a5f23c27f0aec0cf6e49b305617a80.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:880'640 bytes
First seen:2021-11-02 06:22:41 UTC
Last seen:2021-11-02 08:16:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c272247eecddf77307138917800d024 (6 x TrickBot)
ssdeep 12288:JRqRm+QxRDily1wWliME5x2tyyzY+G8dZpBHmG+TqHS0xMgBHfrSs1l:bxmy1wMiME5lMdZpBPHSyrSs1
Threatray 4'063 similar samples on MalwareBazaar
TLSH T1A615CF567DF0C07BD2B290314EF1BB7A66F999209B234EC727858B0D7A34CC1563627A
File icon (PE):PE icon
dhash icon 78a399ad3c1c2d2c (6 x TrickBot)
Reporter abuse_ch
Tags:exe lip144 TrickBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20a5f23c27f0aec0cf6e49b305617a80.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 06:43:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da0ef752-584d-4277-94db-b36578af15e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201262/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.16895.11896.32222.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/6180d94a9982ff7c3f7a2d39/reports/e6a3161c-cec2-45c4-93c8-f1a453e1b1a0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7c9fbc9-7b60-4da6-925a-b5d4148ff222
Result
Threat name:
TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880982
Signature
Allocates memory in foreign processes
Found detection on Joe Sandbox Cloud Basic with higher score
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 06:23:07 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
4e93dcc21ee091596b5ecfac0c5076e14fff78617223cb1e19a2686c7113fade
TrickBot
549babb526332bc84aeab495b8b99982c30497716142c317e13fe3e96cf7188e
TrickBot
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
TrickBot
64c5309cb3d2245b3dfadf321296c8a7cf86c9ae33764e09a41932c3c4fc823e
TrickBot
6db7642e42467842b97947426d78418e58c1e0b25f125ce0faa8bfa6436a70b2
TrickBot
89b3499862e34095b284fc1b97bdd3f2d2f7bf56b6f43bfaed554d9872498bc7
TrickBot
d418e24f1da80e970160a4192050392dbf3e50a89458f46dbbd753423ebdbbde
TrickBot
+ 4'053 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:lip144 banker trojan
Link:
https://tria.ge/reports/211102-g5gfeabgf9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Unpacked files
SH256 hash:
2df85213bc9e3c4923b7ced44b7a00ab380e62885805f7bcf3e0dc7988a42a35
MD5 hash:
330f473b964c05b7a27212c783509fce
SHA1 hash:
d5ebd4248c9134ba95a8d1ba6412c594dd2f2c52
Link:
https://www.unpac.me/results/84948c18-3cd2-4906-b7f9-36126b570c25/
SH256 hash:
d8a1f6bf13fccdd71446421f7a6c28ff7b6d3d3508d92e18bc769c646e2da719
MD5 hash:
eeefb7b3bf9c0196fa1752f9697d8bc9
SHA1 hash:
cdd7935d9c8ea218f2ae066c03aff8cbdfc217c7
Detections:
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/84948c18-3cd2-4906-b7f9-36126b570c25/
Parent samples :
fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a
1e3c36790dbf9d4a964b5ed21b13dcb1a0328aea5b8d2cdd906aeb00a1742541
SH256 hash:
e311df6df1151b3a68d3d65ae36d6a596392aa829468bace42bdc1ba979935e9
MD5 hash:
e1b7eef534e85ecf574610d4036a852d
SHA1 hash:
922b3c651b00b15f1597d65fb28c99c2d38bce23
Link:
https://www.unpac.me/results/84948c18-3cd2-4906-b7f9-36126b570c25/
SH256 hash:
fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a
MD5 hash:
20a5f23c27f0aec0cf6e49b305617a80
SHA1 hash:
370c41621880d5faac4748f60715ffb7239c4aef
Link:
https://www.unpac.me/results/84948c18-3cd2-4906-b7f9-36126b570c25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_trickbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.trickbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe fa18696ec34e6230f7720bbd7957b45d600a7e42e9e5f344ae003ba6ba5dcb2a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1698135/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201262/

Comments