MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
SHA3-384 hash: 18a2ad012ed871951917b59d64a318176604926715e99c469d1217decd1af13584cae4f13dab7ca71d3ef75caef91f6a
SHA1 hash: a846e68a6d927ec6ea41b0958c20f02fed066842
MD5 hash: 219a612b8cf85f5fecbb7e6e27ae0e47
humanhash: mobile-football-enemy-high
File name:SecuriteInfo.com.Heur.10838.2618
Download: download sample
Signature TrickBot
Create hunting rule
File size:280'576 bytes
First seen:2021-05-04 23:49:00 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 6144:acPiTQAVW/89BQnmlcGvgZ7r3J8b5IYJK+nBoOhF:RnOH
TLSH B354E482B1129564E1585F36E836457C42EBEEAA7B38F18B2C04F3B73B771D23E41919
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149855/
Detection(s):
SecuriteInfo.com.Heur.10838.2618.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QakySoWacky.M2.20210218.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QakySoWacky.M3.20210301.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XL4MQakyEsqHomeComing.20210423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Office File
Link:
https://app.docguard.net/3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18/results/dashboard
Payload URLs
URL
File name
parkisolutions.com/nerugin.
Book
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18
Result
Threat name:
Hidden Macro 4.0 Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711023
Signature
Allocates memory in foreign processes
Delayed program exit found
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Drops PE files to the user root directory
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
May check the online IP address of the machine
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404437 Sample: SecuriteInfo.com.Heur.10838.2618 Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Document exploit detected (drops PE files) 2->56 58 8 other signatures 2->58 9 EXCEL.EXE 12 26 2->9         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 48 parkisolutions.com 166.62.28.122, 443, 49165 AS-26496-GO-DADDY-COM-LLCUS United States 9->48 32 C:\Users\user\iofjgjfldnd.hde, PE32 9->32 dropped 34 C:\Users\user\AppData\...\nerugin[1].dll, PE32 9->34 dropped 74 Document exploit detected (creates forbidden files) 9->74 76 Document exploit detected (UrlDownloadToFile) 9->76 16 rundll32.exe 9->16         started        18 rundll32.exe 14->18         started        file5 signatures6 process7 process8 20 rundll32.exe 16->20         started        signatures9 60 Writes to foreign memory regions 20->60 62 Allocates memory in foreign processes 20->62 64 Delayed program exit found 20->64 23 wermgr.exe 6 20->23         started        process10 dnsIp11 42 103.124.173.35, 443 SHIRSTY9-ASShirstyInternetServicesPvtLtdIN India 23->42 44 103.66.72.217, 443 RAILTEL-AS-INRailTelCorporationofIndiaLtdInternetSe India 23->44 46 9 other IPs or domains 23->46 66 Hijacks the control flow in another process 23->66 68 May check the online IP address of the machine 23->68 70 Tries to harvest and steal browser information (history, passwords, etc) 23->70 72 3 other signatures 23->72 27 cmd.exe 13 23->27         started        signatures12 process13 dnsIp14 50 103.102.220.50, 443, 49180 ZT-AS-APZohakTechnologyZ-TechAF Afghanistan 27->50 36 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 27->36 dropped 38 C:\Users\user\AppData\...\Login Data.bak, SQLite 27->38 dropped 40 C:\Users\user\AppData\Local\...\History.bak, SQLite 27->40 dropped 78 Tries to harvest and steal browser information (history, passwords, etc) 27->78 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 23:49:08 UTC
AV detection:
3 of 47 (6.38%)
Threat level:
  2/5
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:net10 banker macro trojan xlm
Link:
https://tria.ge/reports/210504-mzl4baq6mn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Templ.dll packer
Process spawned unexpected child process
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Dropper Extraction:
https://parkisolutions.com/nerugin.dll
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cd2b72f85d145e8bfc5fadc184e97d6d102e3b22a45815358c43538c9c1dc18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149855/

Comments