MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faaa0098ad3de31c95506576653962bf783bdf347b6d22255d707561e30c5350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	faaa0098ad3de31c95506576653962bf783bdf347b6d22255d707561e30c5350
SHA3-384 hash:	95f135f7ab2733626c8e4496103069ee26ab35cdcf9c83615f48bf0abf49e318d0b765d6a7528cd3f2002c949ea845e3
SHA1 hash:	92aaef7ce303ad5aeeb09c0acd38be75affc6f2d
MD5 hash:	26aca67e755b79679663436a4996ddbf
humanhash:	oregon-grey-river-stream
File name:	sbeaf9.exe
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	694'272 bytes
First seen:	2020-09-22 17:45:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2f5581749403d6c4d8f69e407a5b55c8 (1 x TrickBot)
ssdeep	12288:uqluOGXcc5O95gTHGJGxc/Mi1qF6gnc4DYTP3EEyB7u/adsNDQmTHzRXy2EGkGux:uOu1CwamU+svEEs5sNDpTRXPhA
Threatray	2'851 similar samples on MalwareBazaar
TLSH	A2E48E2176E6C233E1B25A700E79DFA145BA78248F7182CF67C4452E5A25FC19E32F36
Reporter	malware_traffic
Tags:	TrickBot

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Detection:

TrickBot

Link:

https://www.capesandbox.com/analysis/64486/

Detection(s):

SecuriteInfo.com.generic.ml.28295.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Sending a UDP request

Deleting a recently created file

Launching a process

DNS request

Sending a custom TCP request

Unauthorized injection to a system process

Sending a TCP request to an infection source

Result

Threat name:

Trickbot

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/472668

Signature

Allocates memory in foreign processes

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Trickbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/faaa0098ad3de31c95506576653962bf783bdf347b6d22255d707561e30c5350/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2020-09-22 17:47:05 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Label(s):

trickbot

TrickBot

4acc4f2470a14360417676e816b24e0271638410112b7068b3c822db522b5e2b

TrickBot

5abc66f1c2e2fb7c2d74dbaa17cfa47b1a4f4fc576ef7c842bc1de10bf236e5e

TrickBot

5c8356172fa558970b2136a5284da800910c0fef74a75a7eb160874ed3edeec2

TrickBot

5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998

TrickBot

a46867b0d1a681e81886d2ab962209d39d36aa701cdff18b20159a93db40f1ec

TrickBot

b917f1d2b3e003cf83fc2a16e25481c1f4cc12d83b9c5879b98744e4a6ff220e

TrickBot

d5efc42f10137cb465bcc098f0a3f5440a86ae59059526c6fb4bfce46bf1be83

TrickBot

f3d2c3f97d52b31f00be046d39ae0ff4dbee7f42c32cbddfca7d613dbb9fb6f3

TrickBot

fbb4e4339bbb0bce98f6de368a927d77cfcd15067f178d80f626da35f9a08981

TrickBot

+ 2'841 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

trojan banker family:trickbot

Link:

https://tria.ge/reports/200922-f5tgbcnaaa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Trickbot

Malware Config

C2 Extraction:

51.89.163.40:443
89.223.126.186:443
45.67.231.68:443
148.251.185.165:443
194.87.110.144:443
213.32.84.27:443
185.234.72.35:443
45.89.125.148:443
195.123.240.104:443
185.99.2.243:443
5.182.211.223:443
195.123.240.113:443
85.204.116.173:443
5.152.210.188:443
103.36.48.103:449
36.94.33.102:449
36.91.87.227:449
177.190.69.162:449
103.76.169.213:449
179.97.246.23:449
200.24.67.161:449
181.143.186.42:449
190.99.97.42:449
179.127.88.41:449
117.252.214.138:449
117.222.63.145:449
45.224.213.234:449
45.237.241.97:449
125.165.20.104:449

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trickbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/faaa0098ad3de31c95506576653962bf783bdf347b6d22255d707561e30c5350

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/64486/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample