General
-
Target
Attach_1344833645_1944784007.xls
-
Size
141KB
-
Sample
210223-fh9ej935y6
-
MD5
d565aff6f0f8712bd3a7529e19a8a419
-
SHA1
ff573e49876b159f8821f9c8abfa6c344a5ed275
-
SHA256
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54
-
SHA512
4af4bd83b514788f0d98fa6f18da332f53bddbac683774f10fbf7174e9a02e14bf91d01605b68b87a2b1606d5f67cb850693bd3a8391dab6e285fe08c708041e
Malware Config
Extracted
http://bearcatpumps.com.cn/css/tolkio.php
Extracted
trickbot
2000026
rob16
154.79.252.132:449
179.191.108.58:449
200.6.169.124:443
103.76.20.226:443
80.78.77.116:449
80.78.75.246:443
45.234.248.66:449
187.190.116.59:443
185.234.72.84:443
36.94.202.131:443
103.91.244.102:449
168.232.188.88:449
103.73.101.98:449
173.81.4.147:449
202.142.151.190:449
118.67.216.238:449
108.170.20.72:443
85.159.214.61:443
36.92.93.5:449
79.122.166.236:449
-
autorunName:pwgrab
Targets
-
-
Target
Attach_1344833645_1944784007.xls
-
Size
141KB
-
MD5
d565aff6f0f8712bd3a7529e19a8a419
-
SHA1
ff573e49876b159f8821f9c8abfa6c344a5ed275
-
SHA256
cd82389b29fa5bf0b638c07322d368bbe1d20e3a41017367ee6308ff1d2cdb54
-
SHA512
4af4bd83b514788f0d98fa6f18da332f53bddbac683774f10fbf7174e9a02e14bf91d01605b68b87a2b1606d5f67cb850693bd3a8391dab6e285fe08c708041e
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-