Form_1004276.xlsb

General
Target

Form_1004276.xlsb

Size

277KB

Sample

210318-qavf9s8tea

Score
10 /10
MD5

830ee920796185f6ef36dc8962ce8cb8

SHA1

89ee9b135716f6aca200d268bf270d28e29d21d7

SHA256

bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

SHA512

a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

Malware Config

Extracted

Language xlm4.0
Source

Extracted

Family trickbot
Version 100013
Botnet rev3
C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes
autorun
Name: pwgrab
ecc_pubkey.base64
Targets
Target

Form_1004276.xlsb

MD5

830ee920796185f6ef36dc8962ce8cb8

Filesize

277KB

Score
10 /10
SHA1

89ee9b135716f6aca200d268bf270d28e29d21d7

SHA256

bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

SHA512

a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

Tags

Signatures

  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Description

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    Tags

  • Nloader Payload

  • Templ.dll packer

    Description

    Detects Templ.dll packer which usually loads Trickbot.

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks