Resubmissions

12-02-2021 00:38

210212-3lvfbc5xrs 10

12-02-2021 00:37

210212-4kxvgclptx 10

12-02-2021 00:24

210212-kvmnnj48me 10

General

  • Target

    Attachment_65307.xlsb

  • Size

    106KB

  • Sample

    210212-kvmnnj48me

  • MD5

    3827cfd0b93d8d87c434a774782e434a

  • SHA1

    1aff5b6db02cb808b41216e4bc4aeed1ef63b4d5

  • SHA256

    4513c7bf3eba413e076d4e091bd3d88284644f2f051b9ebfdd537f982ddd6e61

  • SHA512

    6e7bee5ba20655dcfd561db2c18409c7b72d8b84526efcff36a116565441922a880bfda071f24127cac43289c9ece12a98ff23d31ef91912e50c6d148f9e792b

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://85.90.247.25/campo/o/o

Extracted

Family

trickbot

Version

100011

Botnet

mon48

C2

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
ecc_pubkey.base64

Targets

    • Target

      Attachment_65307.xlsb

    • Size

      106KB

    • MD5

      3827cfd0b93d8d87c434a774782e434a

    • SHA1

      1aff5b6db02cb808b41216e4bc4aeed1ef63b4d5

    • SHA256

      4513c7bf3eba413e076d4e091bd3d88284644f2f051b9ebfdd537f982ddd6e61

    • SHA512

      6e7bee5ba20655dcfd561db2c18409c7b72d8b84526efcff36a116565441922a880bfda071f24127cac43289c9ece12a98ff23d31ef91912e50c6d148f9e792b

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks