MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd
SHA3-384 hash: be6e66e9ea0a5f802251a8c70f27cc890545b6a37e4642bd5bbf7b96ee16377372a27f4b324ccf44dd186692ab2167ab
SHA1 hash: e67bb5d1240f2572dac3c4bf673cdfa13a1851c1
MD5 hash: 96ac4b6f8184f21eadac4e4f719447de
humanhash: jupiter-blue-apart-orange
File name:Documents_52436149_1332453001.xls
Download: download sample
Signature TrickBot
Create hunting rule
File size:280'576 bytes
First seen:2021-05-05 05:35:21 UTC
Last seen:2021-05-05 07:12:15 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:acPiTQAVW/89BQnmlcGvgZ7r3J8b5IYJK+nBoOhF:RnOH
TLSH DA54E482B1129564E1585F36E836457C42EBEEAA7B38F18B2C04F3B73B771D23E41919
Reporter cocaman
Tags:xls

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149896/
Detection(s):
TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QakySoWacky.M2.20210218.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QakySoWacky.M3.20210301.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XL4MQakyEsqHomeComing.20210423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Office File
Link:
https://app.docguard.net/507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd/results/dashboard
Payload URLs
URL
File name
parkisolutions.com/nerugin.
Book
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd
Result
Threat name:
Hidden Macro 4.0 TrickBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711438
Signature
Allocates memory in foreign processes
Delayed program exit found
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Drops PE files to the user root directory
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
May check the online IP address of the machine
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404641 Sample: Documents_52436149_1332453001.xls Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Document exploit detected (drops PE files) 2->42 44 7 other signatures 2->44 8 EXCEL.EXE 58 31 2->8         started        13 taskeng.exe 1 2->13         started        process3 dnsIp4 36 parkisolutions.com 166.62.28.122, 443, 49165 AS-26496-GO-DADDY-COM-LLCUS United States 8->36 26 C:\Users\user\iofjgjfldnd.hde, PE32 8->26 dropped 28 C:\Users\user\AppData\...\nerugin[1].dll, PE32 8->28 dropped 60 Document exploit detected (creates forbidden files) 8->60 62 Document exploit detected (UrlDownloadToFile) 8->62 15 rundll32.exe 8->15         started        17 rundll32.exe 13->17         started        file5 signatures6 process7 process8 19 rundll32.exe 15->19         started        signatures9 46 Writes to foreign memory regions 19->46 48 Allocates memory in foreign processes 19->48 50 Delayed program exit found 19->50 22 wermgr.exe 2 19->22         started        process10 dnsIp11 30 181.176.161.143, 443, 49167, 49168 VIETTELPERUSACPE Peru 22->30 32 115.73.211.230, 443, 49173, 49175 VIETEL-AS-APViettelGroupVN Viet Nam 22->32 34 9 other IPs or domains 22->34 52 May check the online IP address of the machine 22->52 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 56 Tries to detect virtualization through RDTSC time measurements 22->56 58 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 22->58 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 05:36:08 UTC
File Type:
Document
Extracted files:
3
AV detection:
5 of 47 (10.64%)
Threat level:
  2/5
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:net10 banker macro trojan xlm
Link:
https://tria.ge/reports/210505-xzfs5sbzw6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Templ.dll packer
Process spawned unexpected child process
Trickbot
Malware Config
C2 Extraction:
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
Dropper Extraction:
https://parkisolutions.com/nerugin.dll
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Excel file xls 507a6d57570a5774ce656a1b82535a4992e2320c6a760a5e957665263bf102cd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/149896/

Comments