Resubmissions

18-03-2021 05:00

210318-qavf9s8tea 10

General

  • Target

    Form_1004276.xlsb

  • Size

    277KB

  • Sample

    210318-qavf9s8tea

  • MD5

    830ee920796185f6ef36dc8962ce8cb8

  • SHA1

    89ee9b135716f6aca200d268bf270d28e29d21d7

  • SHA256

    bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

  • SHA512

    a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

trickbot

Version

100013

Botnet

rev3

C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      Form_1004276.xlsb

    • Size

      277KB

    • MD5

      830ee920796185f6ef36dc8962ce8cb8

    • SHA1

      89ee9b135716f6aca200d268bf270d28e29d21d7

    • SHA256

      bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

    • SHA512

      a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

    • Nloader

      Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Nloader Payload

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks