General

  • Target

    Document_11_9.doc

  • Size

    1.2MB

  • Sample

    201109-45pb6hjgcx

  • MD5

    0650db5ba1284f04f799ade30a96919e

  • SHA1

    f98683987dfc02b61caacae0762fe10abef02798

  • SHA256

    4865f214e2eee5cd428229c424715d13746ad29341f89c57994c5123746fa4ce

  • SHA512

    95d24fc2e6d5b89e473a3e90ca29c5899086a3a788a5b7fb9efd00c3283a4556098fa1378fdff938bb440d54b0be9e65c4346c0dd45b8c49398a6f41a8f433c6

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      Document_11_9.doc

    • Size

      1.2MB

    • MD5

      0650db5ba1284f04f799ade30a96919e

    • SHA1

      f98683987dfc02b61caacae0762fe10abef02798

    • SHA256

      4865f214e2eee5cd428229c424715d13746ad29341f89c57994c5123746fa4ce

    • SHA512

      95d24fc2e6d5b89e473a3e90ca29c5899086a3a788a5b7fb9efd00c3283a4556098fa1378fdff938bb440d54b0be9e65c4346c0dd45b8c49398a6f41a8f433c6

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks