MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 10


Maldoc score: 21


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31
SHA3-384 hash: cbe6f3e3f79aa4317efd2786054b1e1530ff6de45dc5c7734e34be2c742dc15f7753d42d1bbeb802533ca3a28a94613b
SHA1 hash: aa145cd9773b10c5b9967c65d80ec4c92115e745
MD5 hash: dc05be7a3a80a8361cebded08ba1ad6f
humanhash: apart-apart-kansas-queen
File name:doc1 (33).xlsm
Download: download sample
Signature TrickBot
Create hunting rule
File size:133'362 bytes
First seen:2021-10-19 14:52:04 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 3072:dowDjHBTUVNamX9Ip7ovpcrHwic2GDDJ3i+jBhY9cTc8sF:+wfBTUVbNICGrQ/J3ZjBzg8u
TLSH T172D3E0C9E02668A7C9003438B28883F192A82587D6C8E9357D5DCB5847BD3A7970F5FF
Reporter abuse_ch
Tags:rob136 TrickBot xlsm


Avatar
abuse_ch
TrickBot payload URL:
http://195.133.192.72/images/aredplane.png

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 21
OLE dump

MalwareBazaar was able to identify 24 sections in this file using oledump:

Section IDSection sizeSection name
A1778 bytesPROJECT
A2158 bytesPROJECTwm
A397 bytesUserForm1/CompObj
A4291 bytesUserForm1/VBFrame
A5395 bytesUserForm1/f
A6476 bytesUserForm1/o
A71456 bytesVBA/UserForm1
A811580 bytesVBA/_VBA_PROJECT
A916150 bytesVBA/__SRP_0
A102956 bytesVBA/__SRP_1
A11174 bytesVBA/__SRP_2
A12562 bytesVBA/__SRP_3
A13684 bytesVBA/__SRP_4
A148947 bytesVBA/__SRP_5
A15998 bytesVBA/__SRP_6
A1666 bytesVBA/__SRP_7
A17963 bytesVBA/dir
A1810055 bytesVBA/uoerhlf
A1960643 bytesVBA/zvjwhr
A20984 bytesVBA/1
A21984 bytesVBA/2
A22984 bytesVBA/3
A237174 bytesVBA/
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
IOCwinmm.dllExecutable file name
SuspiciousOpenMay open a file
SuspiciousPutMay write to a file (if combined with Open)
SuspiciousBinaryMay read or write a binary file (if combined with Open)
SuspiciousShellExecuteAMay run an executable file or a system command
Suspiciousshell32May run an executable file or a system command
SuspiciousFindWindowMay enumerate application windows (if combined with Shell.Application object)
SuspiciousLibMay run code from a DLL
SuspiciousChrWMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198592/
Detection(s):
MiscreantPunch.EvilMacro.PSHELLB64INVOKEDASHWINVOKEDASHW.4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/616edb979a5a1e91c5c6afa7/reports/0bde5640-0c4e-4800-94d2-3b4db9d5ec81/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31
Details
Chunked Suspicious Strings
Detected seemingly chunked sensitive strings. High likely hood of obfuscated malintent.
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/873382
Signature
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Encoded PowerShell Command Line
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 14:52:10 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=avxbxxj3ywn44rs47tvex7zzq5vzscdhk7s3h4y57has4w34vmyq._file
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:rob136 banker macro trojan
Link:
https://tria.ge/reports/211019-r8rewsghfr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Process spawned unexpected child process
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/056e1bdd3bc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xlsm 056e1bdd3bc59bce465cfcea4bff39876b99086757e5b3f31df9c12e5b7cab31

(this sample)

TrickBot

DLL dll 968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f

  
URLhaus
https://urlhaus.abuse.ch/url/1696421/
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198592/
  
Dropping
SHA256 968a796e04e6cf1ee9bcfb89923369373056790e9d37afaaeeacbb427f5a891f
  
Dropping
MD5 35874bb0db7d5712d1dfa229f8033aab

Comments