Overview

overview

10

Static

static

8

test

windows7_x64

10

Resubmissions

10-11-2020 14:09

201110-j4kq1f84yn 10

10-11-2020 13:52

201110-tjb64jlajj 10

10-11-2020 13:37

201110-ad9dyxzvqj 8

10-11-2020 13:27

201110-kb2vhm8a22 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Document_11_9.doc

  • Size

    1.2MB

  • Sample

    201110-j4kq1f84yn

  • MD5

    bc0cc1e707b236fbd5cf9b27ff3c9461

  • SHA1

    8b4c8c22c4b14dd5d9d6cc4975bf6f2af208e924

  • SHA256

    dd3f16d98fa14d7e5fb83b3917ff3a42a5cf74356c4ec46391b608b20355d5fe

  • SHA512

    df8bdce95f04ebf58112c994fc79792a76722f1ef7af5364994b1e46dafb517e9cc320a260a11b2336959a883c7d349bdd068f6bdcf01a83bd6e8ce964988688

Score
10/10
trickbottar2bankermacropersistencespywaretrojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      Document_11_9.doc

    • Size

      1.2MB

    • MD5

      bc0cc1e707b236fbd5cf9b27ff3c9461

    • SHA1

      8b4c8c22c4b14dd5d9d6cc4975bf6f2af208e924

    • SHA256

      dd3f16d98fa14d7e5fb83b3917ff3a42a5cf74356c4ec46391b608b20355d5fe

    • SHA512

      df8bdce95f04ebf58112c994fc79792a76722f1ef7af5364994b1e46dafb517e9cc320a260a11b2336959a883c7d349bdd068f6bdcf01a83bd6e8ce964988688

    Score
    10/10
    trickbottar2bankerpersistencespywaretrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks