Overview

overview

10

Static

static

8

ORDER787-5.xls

windows7_x64

10

ORDER787-5.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER787-5.xls

  • Size

    161KB

  • Sample

    210105-qhdepkbwjx

  • MD5

    1d97c6cb50c4107498e4f0e76f539f0c

  • SHA1

    a4dc090837c76aed324bea19c9f62e2d47bb7bc8

  • SHA256

    1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4

  • SHA512

    08c580cbb19b3684f96ab82ec358ca42b796d52045c71d7f794f91d745b62f184d0b1c6842dd6577fb2a0b762bd236f1d1d593b3c592767788fda08739b025a3

Score
10/10
trickbotrob33bankermacrotrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.penrithdentalimplants.com.au/ls/apperolew.png

Extracted

Family

trickbot

Version

100009

Botnet

rob33

C2

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      ORDER787-5.xls

    • Size

      161KB

    • MD5

      1d97c6cb50c4107498e4f0e76f539f0c

    • SHA1

      a4dc090837c76aed324bea19c9f62e2d47bb7bc8

    • SHA256

      1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4

    • SHA512

      08c580cbb19b3684f96ab82ec358ca42b796d52045c71d7f794f91d745b62f184d0b1c6842dd6577fb2a0b762bd236f1d1d593b3c592767788fda08739b025a3

    Score
    10/10
    trickbotrob33bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks