General
-
Target
6.xlsb
-
Size
190KB
-
Sample
210226-v7dssmcfc2
-
MD5
10360f4838885037c303c5d1e54a40c1
-
SHA1
e22bc05b3ff0891e18f414f0dc468078bf24720d
-
SHA256
ab1d6eacd13c7ce70852c85f8da60605b30722d728928ee6d65647750061c6f2
-
SHA512
8b91f5a5114cc46d034d62dd07006e22a7ced0e0e54df5354243070259111182e851c6a0f7d0ef1225c8eecd12a789e314b709a28c37091f4d2080c2a16a51a0
Malware Config
Extracted
http://195.123.220.220/campo/t2/t2
Extracted
trickbot
100012
mon80
41.77.134.250:449
45.155.173.242:443
192.162.238.186:449
142.112.79.223:449
122.2.28.70:449
154.126.176.30:449
45.230.244.20:443
182.253.107.34:443
200.52.147.93:443
123.200.26.246:449
131.255.106.152:449
177.85.133.118:449
103.225.138.94:449
142.202.191.164:443
95.210.118.90:449
36.94.62.207:443
201.20.118.122:449
180.92.238.186:449
103.130.6.244:449
202.91.41.138:449
-
autorunName:pwgrab
Targets
-
-
Target
6.xlsb
-
Size
190KB
-
MD5
10360f4838885037c303c5d1e54a40c1
-
SHA1
e22bc05b3ff0891e18f414f0dc468078bf24720d
-
SHA256
ab1d6eacd13c7ce70852c85f8da60605b30722d728928ee6d65647750061c6f2
-
SHA512
8b91f5a5114cc46d034d62dd07006e22a7ced0e0e54df5354243070259111182e851c6a0f7d0ef1225c8eecd12a789e314b709a28c37091f4d2080c2a16a51a0
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-