Overview

overview

10

Static

static

8

Attachment_65778.xlsb

windows7_x64

10

Attachment_65778.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Attachment_65778.xlsb.zip

  • Size

    93KB

  • Sample

    210211-f8g819feqe

  • MD5

    0e6c053916cb00d2f390130bab5288a4

  • SHA1

    08bb407e02afc8d59b87f47924db185c27a60f9e

  • SHA256

    9d4d65f70a7a47142c6cacdee4deb4e48b543cd193bb169349a8d53509ca4b99

  • SHA512

    aa4b95b5bd9ba1e652a22196982bd7da4fa6a1268b93e118e445fddf7e7b1fe52818ce96b031c456bc7d1ed18edc85584cb115e015eccc5c0c8c95f9c179a5a4

Score
10/10
trickbotmon48bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://85.90.247.25/campo/o/o

Extracted

Family

trickbot

Version

100011

Botnet

mon48

C2

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
ecc_pubkey.base64

Targets

    • Target

      Attachment_65778.xlsb

    • Size

      106KB

    • MD5

      acb967e1800b869e2752cc40a4ec59a5

    • SHA1

      3a85bc98fb07511fec699c07631791ef46ac3253

    • SHA256

      2a0715701189d587df4f40632957f0bbd12cc1e5847b6c8d017254d6ddce6ef1

    • SHA512

      5120079589e1add80eff0db2ecd60f5240578f9f6c738bca742d64dbd141d90f362989cbf0018818f5702fcac0c7c67c28f7bc1477ae2cbffa79bc78cb6927b7

    Score
    10/10
    trickbotmon48bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks