Overview

overview

10

Static

static

8

Attach_134...07.xls

windows7_x64

10

Attach_134...07.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Attach_1344833645_1944784007.xls

  • Size

    141KB

  • Sample

    210223-fh9ej935y6

  • MD5

    d565aff6f0f8712bd3a7529e19a8a419

  • SHA1

    ff573e49876b159f8821f9c8abfa6c344a5ed275

  • SHA256

    cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54

  • SHA512

    4af4bd83b514788f0d98fa6f18da332f53bddbac683774f10fbf7174e9a02e14bf91d01605b68b87a2b1606d5f67cb850693bd3a8391dab6e285fe08c708041e

Score
10/10
trickbotrob16bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://bearcatpumps.com.cn/css/tolkio.php

Extracted

Family

trickbot

Version

2000026

Botnet

rob16

C2

154.79.252.132:449

179.191.108.58:449

200.6.169.124:443

103.76.20.226:443

80.78.77.116:449

80.78.75.246:443

45.234.248.66:449

187.190.116.59:443

185.234.72.84:443

36.94.202.131:443

103.91.244.102:449

168.232.188.88:449

103.73.101.98:449

173.81.4.147:449

202.142.151.190:449

118.67.216.238:449

108.170.20.72:443

85.159.214.61:443

36.92.93.5:449

79.122.166.236:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      Attach_1344833645_1944784007.xls

    • Size

      141KB

    • MD5

      d565aff6f0f8712bd3a7529e19a8a419

    • SHA1

      ff573e49876b159f8821f9c8abfa6c344a5ed275

    • SHA256

      cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54

    • SHA512

      4af4bd83b514788f0d98fa6f18da332f53bddbac683774f10fbf7174e9a02e14bf91d01605b68b87a2b1606d5f67cb850693bd3a8391dab6e285fe08c708041e

    Score
    10/10
    trickbotrob16bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks