MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63b91b66c7d71763867ce4333d503db7d46901d16f3e971d63498c89046e6a75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63b91b66c7d71763867ce4333d503db7d46901d16f3e971d63498c89046e6a75
SHA3-384 hash: fff221f77097fd8a38d6870cbb948be4bf171849a2f58e5db423847790f7af63aed521e13a46e1c51560b46e53a75c0f
SHA1 hash: 9f03c6d6182d9255a4acc96a68a578e3ca9ca17d
MD5 hash: 0c5031a6dba992845a442e5e901fd439
humanhash: seventeen-skylark-queen-harry
File name:SpreadSheets.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:708'608 bytes
First seen:2021-01-18 10:08:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73ebe266453715f5acb1904d1369f8d7 (2 x TrickBot)
ssdeep 6144:RQHW+U9EQHWXss6tqaMoEolhsmAfqDwS2jnloTgMk/0Sr:R6U63f05fPAfwwS2qlXSr
Threatray 4'725 similar samples on MalwareBazaar
TLSH 4AE4CF606F84E403F265553059674AB94E7C6C93AC52482BF7A8FD5D2CB8AC71CE232F
Reporter Rony
Tags:tot6 TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SpreadSheets.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-18 10:11:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a860191c-c7df-40ae-a7b4-531e35735df4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
TrickBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114526/
Detection(s):
Win.Malware.Razy-9822072-0
Create hunting rule

Win.Trojan.Razy-9822073-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Connection attempt
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Trickbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583673
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hijacks the control flow in another process
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Trickbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 340873 Sample: SpreadSheets.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 46 107.172.188.113:443 unknown unknown 2->46 48 158.51.96.31:443 unknown unknown 2->48 50 4 other IPs or domains 2->50 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 4 other signatures 2->74 10 SpreadSheets.exe 4 2->10         started        13 SpreadSheets.exe 1 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\SpreadSheets.exe, PE32 10->36 dropped 38 C:\Users\...\SpreadSheets.exe:Zone.Identifier, ASCII 10->38 dropped 16 SpreadSheets.exe 1 10->16         started        86 Writes to foreign memory regions 13->86 88 Allocates memory in foreign processes 13->88 19 wermgr.exe 13->19         started        signatures6 process7 signatures8 60 Multi AV Scanner detection for dropped file 16->60 62 Machine Learning detection for dropped file 16->62 64 Writes to foreign memory regions 16->64 66 Allocates memory in foreign processes 16->66 21 wermgr.exe 1 16->21         started        process9 dnsIp10 52 107.152.46.188, 443, 49756 TZULOUS United States 21->52 54 36.89.191.119, 449, 49746 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 21->54 56 11 other IPs or domains 21->56 76 Hijacks the control flow in another process 21->76 78 Writes to foreign memory regions 21->78 80 Tries to detect virtualization through RDTSC time measurements 21->80 82 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 21->82 25 cmd.exe 11 21->25         started        30 cmd.exe 1 21->30         started        signatures11 process12 dnsIp13 58 186.47.209.222, 443, 49767, 49782 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC Ecuador 25->58 40 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 25->40 dropped 42 C:\Users\user\AppData\...\Login Data.bak, SQLite 25->42 dropped 44 C:\Users\user\AppData\Local\...\History.bak, SQLite 25->44 dropped 84 Tries to harvest and steal browser information (history, passwords, etc) 25->84 32 conhost.exe 25->32         started        34 conhost.exe 30->34         started        file14 signatures15 process16
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63b91b66c7d71763867ce4333d503db7d46901d16f3e971d63498c89046e6a75/
Threat name:
Win32.Trojan.Trickpak
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 17:23:48 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mo4rwzwh24lwhbt44qzt2ub5w7kgsaorn47johldjggisbdonj2q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
Similar samples:
77985fca7ae6b60c8025ba326e3bd1d9949c3fb32b9ca0f99f040be633823a7c
TrickBot
7b379e5dd60536e28d876fd99a019dbf070807482a1aa9e2f29ce9957914c93e
TrickBot
7ea934ecc247a346def2191b21abd7ff8cf1119bd9dfe8317ed05fc42d2d4b5d
TrickBot
828ce17fb46f7a300d59233cd5c5d77b4880f63cd91802cdb269d241c2b1a9ec
TrickBot
b19739ad003d5bbd5f2fcc99f0d19d22cb389ae78ca81f31472cff469e53cf2c
TrickBot
c2d499169a652c5c86ef28b7dca25f23e986bdd93b23fe02115923f698d61b58
TrickBot
c77e12c582e1fa95272debdbde53eee509d1f57a5d6693f5308eb1a22d8a4367
TrickBot
d64217395d8a43cd86ae4f154bcfcb62755241a26e4bfbdd06f049fbbfa38fca
TrickBot
ed235c8cf8895b7104f70ad7fb3d6c8dfddaa152edb4c69f7e1ca9d77e26d127
TrickBot
ff03d07c9ffeef7cf5246259e12f9feb37b5d01817e42d5bcaf9052e89df4b7e
TrickBot
+ 4'715 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:tot6 banker trojan
Link:
https://tria.ge/reports/210118-pgzqs47gxa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Trickbot
Malware Config
C2 Extraction:
149.54.11.54:449
36.89.191.119:449
41.159.31.227:449
103.150.68.124:449
103.126.185.7:449
103.112.145.58:449
103.110.53.174:449
102.164.208.44:449
194.5.249.143:443
142.202.191.175:443
195.123.241.31:443
45.89.125.214:443
45.83.151.103:443
91.200.103.41:443
66.70.246.0:443
64.74.160.218:443
198.46.198.115:443
5.34.180.173:443
23.227.196.5:443
195.123.241.115:443
107.152.42.163:443
Unpacked files
SH256 hash:
18a7bd74fd37fc341a43635ba3e71b2b9c5c41a58dfc9ba737a8d9f0e552a361
MD5 hash:
bafd47bece1518f6f8bbf365bae3f607
SHA1 hash:
39ee54b91d9602ec301f7f0d89bc681bfb8e9567
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1a2d0605-2a18-4f72-97c6-bc4a6e820e20/
SH256 hash:
86be883c52f5ae7db16b7729053f8c592e2c0324f60d63a66c4402abcfd2d677
MD5 hash:
425c1a1128142f5134d56769fe7ba0cc
SHA1 hash:
7cfc38f4a6d94e2da28035420b9a78b463ca26a1
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/1a2d0605-2a18-4f72-97c6-bc4a6e820e20/
SH256 hash:
63b91b66c7d71763867ce4333d503db7d46901d16f3e971d63498c89046e6a75
MD5 hash:
0c5031a6dba992845a442e5e901fd439
SHA1 hash:
9f03c6d6182d9255a4acc96a68a578e3ca9ca17d
Link:
https://www.unpac.me/results/1a2d0605-2a18-4f72-97c6-bc4a6e820e20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trickbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63b91b66c7d71763867ce4333d503db7d46901d16f3e971d63498c89046e6a75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/BushidoToken/status/1350570401550770176
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114526/

Comments