MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

TrickBot

Vendor detections: 10

Maldoc score: 11

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e
SHA3-384 hash:	100bf187b6ccc1561c7d903e5136415957029803a76f91f037c28452d80b09b6ef704ae673ae5beb31b4ae18813f4d1a
SHA1 hash:	4a082ed1c969028aeafae7773ef86d35e680e4e0
MD5 hash:	d27ac168b5642518471c6e94c894d9c1
humanhash:	ceiling-charlie-connecticut-aspen
File name:	Customer_Payment-32_41295101.xlsm
Download:	download sample
Signature	TrickBot Create hunting rule
File size:	342'278 bytes
First seen:	2021-08-05 17:53:11 UTC
Last seen:	Never
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	6144:OA7d3sarp3rJrrOhGJVbZVAhFDgMID1uY38o4KvhWZNHM6Qu2IAuFG4:J7pXrp3x5JVE6xDcY38o4hnsnIAuFG4
TLSH	T1B07423139F6024AFEECD067ED00417D4672E6724A102D1092794F609AF5BAE7F3CB96E
Reporter	abuse_ch
Tags:	sat3 TrickBot xlsm

abuse_ch

TrickBot payload URL:
http://162.248.227.43/a.php

TrickBot C2s:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 11

OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section ID	Section size	Section name
A1	584 bytes	PROJECT
A2	137 bytes	PROJECTwm
A3	3336 bytes	VBA/_VBA_PROJECT
A4	597 bytes	VBA/dir
A5	990 bytes	VBA/1
A6	990 bytes	VBA/2
A7	990 bytes	VBA/5
A8	990 bytes	VBA/6
A9	990 bytes	VBA/8
A10	990 bytes	VBA/9
A11	1570 bytes	VBA/

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Workbook_Open	Runs when the Excel Workbook is opened
IOC	162.248.225.122	IPv4 address
Suspicious	Run	May run an executable file or a system command
Suspicious	EXEC	May run an executable file or a system
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	XLM macrosheet	XLM macrosheet found. It could contain malicious code

Intelligence

File Origin

# of uploads :

# of downloads :

254

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Customer_Payment-32_41295101.xlsm

Verdict:

Suspicious activity

Analysis date:

2021-08-05 17:56:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/94b48e81-75e6-414e-a8f9-735df7a7a7d1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/vnd.ms-excel.sheet.macroEnabled.12

Has a screenshot:

False

Contains macros:

True

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176768/

Detection(s):

TwinWave.EvilDoc.XL4MDottedQuadDancingInHeaven.20210421.UNOFFICIAL

TwinWave.EvilDoc.EvilMacroSheet.QakyAgainstTheWind.20210602.UNOFFICIAL

ditekSHen.INDICATOR.OOXML.Excel4MacrosEXEC.UNOFFICIAL

SecuriteInfo.com.MSOffice.DdeExec-3.UNOFFICIAL

TwinWave.EvilDoc.OOXMLXLSLOLBINHammerToFall.20201218.UNOFFICIAL

TwinWave.EvilDoc.XLMSumBodyToLove.M2.032421.UNOFFICIAL

TwinWave.EvilDoc.OXML.EvilMacroSheetMignightQakTrainToMemphis.M2.20210521.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a process with a hidden window

Creating a file

Replacing files

Searching for the window

Connection attempt by exploiting the app vulnerability

Launching a process by exploiting the app vulnerability

Deleting of the original file

Result

Verdict:

Malicious

File Type:

OOXML Excel File with Excel4Macro

Link:

https://app.docguard.net/90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e/results/dashboard

Payload URLs

URL

File name

http://162.248.225.122/0.

intlsheet1.xml

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e

Details

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

IPv4 Dotted Quad URL

A URL was detected referencing a direct IP address, as opposed to a domain name.

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Macro Contains Suspicious String

Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/827601

Signature

Document contains an embedded VBA macro which may execute processes

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Excel documents contains an formula which executes processes when the document is opened

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Microsoft Office Product Spawning Windows Shell

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e/

Threat name:

Document-Office.Downloader.SLoad

Status:

Malicious

First seen:

2021-08-05 17:54:05 UTC

AV detection:

3 of 46 (6.52%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sd2ixzyqbkj2lznsihgprpk544h3wnlgkwesmmicdesw6eatma7a._file

Result

Malware family:

n/a

Score:

10/10

Tags:

macro xlm

Link:

https://tria.ge/reports/210805-ms4khmbzhe/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Process spawned unexpected child process

Malware Config

Dropper Extraction:

http://162.248.225.122/0.php

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/90f48be7100a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90f48be7100a93a5e5b241ccf8bd5de70fbb3566558926310219256f1013603e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.