Overview

overview

10

Static

static

Forever

windows7_x64

10

Eternity

windows7_x64

1

Resubmissions

23-09-2020 14:42

200923-46vagsg26s 10

21-09-2020 18:03

200921-d7szzs4t26 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    boq_6_boq.doc

  • Size

    684KB

  • Sample

    200923-46vagsg26s

  • MD5

    4913959946c7c8d9ff682439eb108928

  • SHA1

    2e77f1b7c588d274bd998dc6dda422363cc6f9ba

  • SHA256

    052c9196dfe764f1fbd3850d706d10601235dc266d1151c93d34454a12206c28

  • SHA512

    b74c1b001c628bc762eda6d724b674b8951380d8eb1e94fdfc59852b67e851b8ca670905e565467431c5c8b0282fe5f6c9f4ba8f0ce41840530959c13ce1c595

Score
10/10
trickbotono76bankerpersistencespywaretrojan

Malware Config

Extracted

Family

trickbot

Version

1000513

Botnet

ono76

C2

51.89.177.20:443

194.5.249.174:443

107.174.196.242:443

185.205.209.241:443

82.146.46.220:443

5.34.178.126:443

212.22.70.65:443

195.123.241.90:443

185.164.32.214:443

198.46.198.139:443

195.123.241.187:443

86.104.194.116:443

195.123.240.252:443

185.164.32.215:443

45.148.120.195:443

45.138.158.32:443

5.149.253.99:443

92.62.65.163:449

88.247.212.56:449

180.211.170.214:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      boq_6_boq.doc

    • Size

      684KB

    • MD5

      4913959946c7c8d9ff682439eb108928

    • SHA1

      2e77f1b7c588d274bd998dc6dda422363cc6f9ba

    • SHA256

      052c9196dfe764f1fbd3850d706d10601235dc266d1151c93d34454a12206c28

    • SHA512

      b74c1b001c628bc762eda6d724b674b8951380d8eb1e94fdfc59852b67e851b8ca670905e565467431c5c8b0282fe5f6c9f4ba8f0ce41840530959c13ce1c595

    Score
    10/10
    trojanbankertrickbotspywarepersistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blacklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks