trickbot

Resubmissions

12-02-2021 00:38

210212-3lvfbc5xrs 10

12-02-2021 00:37

210212-4kxvgclptx 10

12-02-2021 00:24

210212-kvmnnj48me 10

Sharing

Copy URL

Twitter E-mail

General

Target

Attachment_65307.xlsb
Size

106KB
Sample

210212-kvmnnj48me
MD5

3827cfd0b93d8d87c434a774782e434a
SHA1

1aff5b6db02cb808b41216e4bc4aeed1ef63b4d5
SHA256

4513c7bf3eba413e076d4e091bd3d88284644f2f051b9ebfdd537f982ddd6e61
SHA512

6e7bee5ba20655dcfd561db2c18409c7b72d8b84526efcff36a116565441922a880bfda071f24127cac43289c9ece12a98ff23d31ef91912e50c6d148f9e792b

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://85.90.247.25/campo/o/o

Extracted

Family

trickbot

Version

100011

Botnet

mon48

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  Attachment_65307.xlsb
- Size
  
  106KB
- MD5
  
  3827cfd0b93d8d87c434a774782e434a
- SHA1
  
  1aff5b6db02cb808b41216e4bc4aeed1ef63b4d5
- SHA256
  
  4513c7bf3eba413e076d4e091bd3d88284644f2f051b9ebfdd537f982ddd6e61
- SHA512
  
  6e7bee5ba20655dcfd561db2c18409c7b72d8b84526efcff36a116565441922a880bfda071f24127cac43289c9ece12a98ff23d31ef91912e50c6d148f9e792b
Score

10^/10

trickbot mon48 banker trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Templ.dll packer

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2