trickbot

General

Target

1599400056-01282021.xls
Size

45KB
Sample

210128-aaz8g4j9f2
MD5

b4f063612cbe944f5f63e3e132793941
SHA1

a406e09e9e71531b184d2acda1192d5de69c1eb4
SHA256

c58672786cc5ff1aee1f2f582e209857a8fe055d5fefda026ff374cf7dab3968
SHA512

df55081b75c8bdde7b5cbbe00577e1f37f1f90bd19834f58cee601b202fbc75cdefac4da3ce1b0434deb43740b24a60bff9fa9b5c2496ed84cd65b033d8e2e35

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob42

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  1599400056-01282021.xls
- Size
  
  45KB
- MD5
  
  b4f063612cbe944f5f63e3e132793941
- SHA1
  
  a406e09e9e71531b184d2acda1192d5de69c1eb4
- SHA256
  
  c58672786cc5ff1aee1f2f582e209857a8fe055d5fefda026ff374cf7dab3968
- SHA512
  
  df55081b75c8bdde7b5cbbe00577e1f37f1f90bd19834f58cee601b202fbc75cdefac4da3ce1b0434deb43740b24a60bff9fa9b5c2496ed84cd65b033d8e2e35
Score

10^/10

trickbot rob42 banker trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Templ.dll packer

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2