trickbot | 810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5 | Triage

Submit
Reports

Overview

overview

Static

static

8

Document_C..._7.xls

windows7_x64

6

Document_C..._7.xls

windows10_x64

Sharing

General

Target

Document_Covid-19_7.xls
Size

85KB
Sample

200704-4zk76befys
MD5

58b62b641066a1ea49e34a2f711a1854
SHA1

4bf1830ed130fe97e50807b1a4ba4749c8fefe75
SHA256

810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
SHA512

82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2

Score

10^/10

trickbot chil58 banker macro spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

Document_Covid-19_7.xls

Resource

win7v200430

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Document_Covid-19_7.xls

Resource

win10

spyware trojan banker trickbot

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil58

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

121.100.19.18:449

190.136.178.52:449

45.6.16.68:449

110.232.76.39:449

122.50.6.122:449

103.12.161.194:449

36.91.45.10:449

110.93.15.98:449

80.210.32.67:449

103.111.83.246:449

200.107.35.154:449

36.89.182.225:449

36.89.243.241:449

36.92.19.205:449

110.50.84.5:449

182.253.113.67:449

36.66.218.117:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  Document_Covid-19_7.xls
- Size
  
  85KB
- MD5
  
  58b62b641066a1ea49e34a2f711a1854
- SHA1
  
  4bf1830ed130fe97e50807b1a4ba4749c8fefe75
- SHA256
  
  810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
- SHA512
  
  82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2
Score

10^/10

spyware trojan banker trickbot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

spywaretrojanbankertrickbot

© 2018-2024

Terms | Privacy