Analyzed Samples
12,847
+124 new today
Identified Families
328
+3 new this week
Active Campaigns
47
2 new campaigns detected
Threat Actors
89
5 new attributions
Malware Variant Relationship Map
Loading variant relationship visualization...
Selected Sample Details
MaliciousSample Hash
a1b2c3d4e5f6...7890
File Type
Windows PE Executable (64-bit)
First Seen
2023-05-15 14:32:10 UTC
Malware Family
TrickBot
(92% confidence)
Associated Campaign
Operation Cobalt Strike
(87% confidence)
Threat Actor
Wizard Spider
(78% confidence)
Similarity Scores
Sample XZ-124 (TrickBot)
94%
Sample AB-789 (BazarLoader)
82%
Sample CD-456 (Ryuk)
67%
Tactics, Techniques, and Procedures (MITRE ATT&CK Framework)
Common TTPs Across Related Samples
Tactic
Execution
- Command-Line Interface (T1059) 92% match
- Windows Management Instrumentation (T1047) 87% match
Tactic
Persistence
- Registry Run Keys (T1547.001) 95% match
- Scheduled Task (T1053) 83% match
Tactic
Defense Evasion
- Process Injection (T1055) 89% match
- Obfuscated Files (T1027) 91% match
TTP Heatmap Across Variants
Indicator of Compromise Correlation
Shared IOCs
Domains
- malware-c2[.]com 5 variants
- download-update[.]net 3 variants
- secure-payment[.]xyz 2 variants
IP Addresses
- 185.143.223.47 4 variants
- 91.234.56.178 3 variants
File Hashes
- a1b2c3...7890 (DLL) 3 variants
- x7y8z9...1234 (EXE) 2 variants
IOC Timeline
YARA Rule Matches
TrickBot v4 Loader
98% match
BazarBackdoor C2
87% match
Ryuk Encryption
72% match
Malware Family Evolution Timeline
TrickBot v1.0
2016-10-15
First observed banking Trojan with web injects and form grabbing capabilities.
TrickBot v2.4
2017-05-22
Added modular architecture with plugin support for extended functionality.
TrickBot v3.1
2018-11-07
Incorporated worm-like spreading capabilities and SMB propagation.
TrickBot v4.2
2020-03-18
Integrated with Ryuk ransomware for double extortion attacks.
Code Similarity Analysis
Fuzzy Hashing Comparison
Shared Code Fragments
Encryption Routine
91% match
C2 Communication
87% match
Persistence Mechanism
83% match
Code Comparison Viewer
Current Sample
Related Sample (TrickBot v3.1)
void encryptFiles(string path) {
for (auto &entry : fs::directory_iterator(path)) {
if (entry.is_directory()) {
encryptFiles(entry.path());
} else {
auto file = entry.path();
if (isValidTarget(file)) {
RSAEncrypt(file);
rename(file, file += ".encrypted");
}
}
}
}void encryptFiles(string path) {
for (auto &entry : fs::directory_iterator(path)) {
if (entry.is_directory()) {
encryptFiles(entry.path());
} else {
auto file = entry.path();
if (shouldEncrypt(file)) {
RSAEncrypt(file);
rename(file, file += ".locked");
}
}
}
}
Highlighted code shows 91% similarity in encryption routines
Import Address Table (IAT) Comparison
Function
Current
Related
CreateProcessW
✓
✓
RegSetValueEx
✓
✓
WSASend
✓
✓
CryptEncrypt
✓
✓
Related Malware Samples
Sort by:
TrickBot v3.1
First seen: 2018-11-07
TrickBot
Operation Cobalt
Wizard Spider
Shared characteristics:
- Identical C2 communication pattern
- Similar persistence mechanism
- Shared encryption algorithm
BazarLoader v2
First seen: 2020-02-14
BazarLoader
Operation Cobalt
Wizard Spider
Shared characteristics:
- Similar initial loader code
- Common C2 infrastructure
- Overlapping TTPs
Ryuk v1.3
First seen: 2019-08-22
Ryuk
Operation Cobalt
Wizard Spider
Shared characteristics:
- Similar encryption implementation
- Common lateral movement techniques
- Shared infrastructure components
Actionable Intelligence
Threat Hunting
- Search for IOCs in your environment: malware-c2[.]com, 185.143.223.47
- Look for processes with command-line parameters matching known patterns
- Monitor registry keys for persistence mechanisms
Detection Rules
- YARA rule: TrickBot_Loader_v4 (92% match)
- Sigma rule: Ryuk_Encryption_Process
- Suricata rule: ET MALWARE TrickBot C2 Beacon
Mitigation
- Block communication to known C2 domains/IPs
- Disable SMBv1 and restrict RDP access
- Implement application whitelisting for critical directories
