Overview

overview

10

Static

static

8

Document-6...20.xls

windows7_x64

10

Document-6...20.xls

windows10_x64

10

Resubmissions

21-12-2020 13:15

201221-amrnqr8y1x 10

18-12-2020 13:39

201218-dfn1zbywhj 10

18-12-2020 13:33

201218-ghm25thlne 10

18-12-2020 13:24

201218-8cqjs79rmx 10

17-12-2020 15:10

201217-vynrbd9fex 10

16-12-2020 08:36

201216-r16axrnhmx 10

16-12-2020 07:54

201216-p429ptbacj 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Document-63665398-12152020.xls

  • Size

    54KB

  • Sample

    201218-8cqjs79rmx

  • MD5

    a278eb09284581c97e12c62a95c706bb

  • SHA1

    fae3ca2812ffc99d3033ee4915a3b449c07acfab

  • SHA256

    f669b9a3d89a8061089d819d5e4469389656d0ae39188c147592d2e165267b41

  • SHA512

    d966f55e34fcd49c13a1750375131f4d1b204b8ed83a6ef462c65c04ad7b87200cacc2749c4cbe10977d38234620ea62fe25bc26a88c796312422a4867ff0d87

Score
10/10
trickbotrob23bankermacrotrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

trickbot

Version

100007

Botnet

rob23

C2

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      Document-63665398-12152020.xls

    • Size

      54KB

    • MD5

      a278eb09284581c97e12c62a95c706bb

    • SHA1

      fae3ca2812ffc99d3033ee4915a3b449c07acfab

    • SHA256

      f669b9a3d89a8061089d819d5e4469389656d0ae39188c147592d2e165267b41

    • SHA512

      d966f55e34fcd49c13a1750375131f4d1b204b8ed83a6ef462c65c04ad7b87200cacc2749c4cbe10977d38234620ea62fe25bc26a88c796312422a4867ff0d87

    Score
    10/10
    trickbotrob23bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks