Triage | Malware sandboxing report by Hatching Triage

Resubmissions

10-11-2020 14:09

201110-j4kq1f84yn 10

10-11-2020 13:52

201110-tjb64jlajj 10

10-11-2020 13:37

201110-ad9dyxzvqj 8

10-11-2020 13:27

201110-kb2vhm8a22 8

Sharing

General

Target

Document_11_9.doc
Size

1MB
Sample

201110-j4kq1f84yn
MD5

bc0cc1e707b236fbd5cf9b27ff3c9461
SHA1

8b4c8c22c4b14dd5d9d6cc4975bf6f2af208e924
SHA256

dd3f16d98fa14d7e5fb83b3917ff3a42a5cf74356c4ec46391b608b20355d5fe
SHA512

df8bdce95f04ebf58112c994fc79792a76722f1ef7af5364994b1e46dafb517e9cc320a260a11b2336959a883c7d349bdd068f6bdcf01a83bd6e8ce964988688

Score

10^/10

trickbot tar2 banker macro persistence spyware trojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  Document_11_9.doc
- Size
  
  1MB
- MD5
  
  bc0cc1e707b236fbd5cf9b27ff3c9461
- SHA1
  
  8b4c8c22c4b14dd5d9d6cc4975bf6f2af208e924
- SHA256
  
  dd3f16d98fa14d7e5fb83b3917ff3a42a5cf74356c4ec46391b608b20355d5fe
- SHA512
  
  df8bdce95f04ebf58112c994fc79792a76722f1ef7af5364994b1e46dafb517e9cc320a260a11b2336959a883c7d349bdd068f6bdcf01a83bd6e8ce964988688
Score

10^/10

trickbot tar2 banker persistence spyware trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Blacklisted process makes network request
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Modifies service
  persistence
behavioral1

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

Privilege Escalation

Tasks

static1

behavioral1

trickbottar2bankerpersistencespywaretrojan