trickbot

General

Target

case_142297110_1765967889.xlsm
Size

149KB
Sample

210315-h4kefy55ya
MD5

cb9f4477fbf6f33c8de41d3a2febcf0f
SHA1

97d398eed15462aeeaff7a7b9ef93a61fdf6370d
SHA256

438fc9f6931a33ae2ac94848f8b2c3876b3ddf4e4d58c5ed403ca49da3366a34
SHA512

b6517693a5a17270ca180c6ec0e6edea0629dbed28a69499247f0dbd2993344417d1f868afbbd8b9fdee21b6321a5ba57a31c95f5d1fc06ff13c1302f53d6969

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://www.ceder-invest.be/sass/capital.php

Extracted

Family

trickbot

Version

100013

Botnet

rob77

C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  case_142297110_1765967889.xlsm
- Size
  
  149KB
- MD5
  
  cb9f4477fbf6f33c8de41d3a2febcf0f
- SHA1
  
  97d398eed15462aeeaff7a7b9ef93a61fdf6370d
- SHA256
  
  438fc9f6931a33ae2ac94848f8b2c3876b3ddf4e4d58c5ed403ca49da3366a34
- SHA512
  
  b6517693a5a17270ca180c6ec0e6edea0629dbed28a69499247f0dbd2993344417d1f868afbbd8b9fdee21b6321a5ba57a31c95f5d1fc06ff13c1302f53d6969
Score

10^/10

trickbot rob77 banker trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2