trickbot

General

Target

Attachment_77988.xlsb
Size

156KB
Sample

210304-rvbd77nwva
MD5

6022aea669bdd233a0d0d66fac85b138
SHA1

f635d3c887f30993e38bef08111805574043f22e
SHA256

ab72f4a340ae25c16cba14691708e873f5c84a5b606ee4f54717475292f6bb89
SHA512

d87de5be72e14c00afb41c53a7b685f2ca129edaa51c7aff34273730d8a7b60fc73ba5c2caf20eedc061f5087517d1e79a8a06944a8372b9224a32ed23fb6db6

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://195.123.219.72/haurf/n2/n2

Extracted

Family

trickbot

Version

100013

Botnet

mon103

C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  Attachment_77988.xlsb
- Size
  
  156KB
- MD5
  
  6022aea669bdd233a0d0d66fac85b138
- SHA1
  
  f635d3c887f30993e38bef08111805574043f22e
- SHA256
  
  ab72f4a340ae25c16cba14691708e873f5c84a5b606ee4f54717475292f6bb89
- SHA512
  
  d87de5be72e14c00afb41c53a7b685f2ca129edaa51c7aff34273730d8a7b60fc73ba5c2caf20eedc061f5087517d1e79a8a06944a8372b9224a32ed23fb6db6
Score

10^/10

trickbot mon103 banker trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Templ.dll packer

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2