nloader | bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58

General

Target

Form_1004276.xlsb
Size

277KB
MD5

830ee920796185f6ef36dc8962ce8cb8
SHA1

89ee9b135716f6aca200d268bf270d28e29d21d7
SHA256

bd4f4450e7d4973ed38cc12cbe6689eb63ff492fb0cc9e6f56144ffe4474aa58
SHA512

a74ceabb94c3157970f5396a98f074faf1951ed1111c17d52f00c046cce1b1117c3b6498c33a82756f607b5bac1660246a30bdaa2887e43e881e26c5589ffcde

Score

10^/10

nloader trickbot rev3 banker loader trojan

Malware Config

Extracted

Family

trickbot

Version

100013

Botnet

rev3

C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1536	3636	certutil.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4048	3636	rundll32.exe	67

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Nloader Payload 4 IoCs

resource	yara_rule
behavioral2/memory/2744-13-0x00000000029E0000-0x00000000029E9000-memory.dmp	nloader
behavioral2/memory/2744-14-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral2/memory/2744-15-0x00000000045B0000-0x00000000045B5000-memory.dmp	nloader
behavioral2/memory/2744-16-0x00000000009B0000-0x00000000009B6000-memory.dmp	nloader

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

resource	yara_rule
behavioral2/memory/2084-21-0x0000000002B70000-0x0000000002BA9000-memory.dmp	templ_dll
behavioral2/memory/2084-22-0x0000000004250000-0x0000000004287000-memory.dmp	templ_dll
behavioral2/memory/2084-24-0x0000000000840000-0x0000000000876000-memory.dmp	templ_dll

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	2744	rundll32.exe
29	2744	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	rundll32.exe
2084	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	wtfismyip.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3636	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3484	wermgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE
3636	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1536	3636	EXCEL.EXE	80
PID 3636 wrote to memory of 1536	3636	EXCEL.EXE	80
PID 3636 wrote to memory of 4048	3636	EXCEL.EXE	82
PID 3636 wrote to memory of 4048	3636	EXCEL.EXE	82
PID 4048 wrote to memory of 2744	4048	rundll32.exe	83
PID 4048 wrote to memory of 2744	4048	rundll32.exe	83
PID 4048 wrote to memory of 2744	4048	rundll32.exe	83
PID 2744 wrote to memory of 2084	2744	rundll32.exe	86
PID 2744 wrote to memory of 2084	2744	rundll32.exe	86
PID 2744 wrote to memory of 2084	2744	rundll32.exe	86
PID 2084 wrote to memory of 1844	2084	rundll32.exe	87
PID 2084 wrote to memory of 1844	2084	rundll32.exe	87
PID 2084 wrote to memory of 1844	2084	rundll32.exe	87
PID 2084 wrote to memory of 3484	2084	rundll32.exe	88
PID 2084 wrote to memory of 3484	2084	rundll32.exe	88
PID 2084 wrote to memory of 3484	2084	rundll32.exe	88
PID 2084 wrote to memory of 3484	2084	rundll32.exe	88

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Form_1004276.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi.png C:\Users\Public\jahi.pn
  2⤵
  - Process spawned unexpected child process
  PID:1536
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi.pn,DF
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\ProgramData\kgff\kgff.dll,DllRegisterServer1
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe
        5⤵
        
        PID:1844
    - - C:\Windows\system32\wermgr.exe
        
        C:\Windows\system32\wermgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-24-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/2084-22-0x0000000004250000-0x0000000004287000-memory.dmp

Filesize
220KB

Download
memory/2084-26-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2084-25-0x00000000043A0000-0x00000000043E3000-memory.dmp

Filesize
268KB

Download
memory/2084-27-0x0000000004291000-0x0000000004293000-memory.dmp

Filesize
8KB

Download
memory/2084-30-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2084-21-0x0000000002B70000-0x0000000002BA9000-memory.dmp

Filesize
228KB

Download
memory/2744-13-0x00000000029E0000-0x00000000029E9000-memory.dmp

Filesize
36KB

Download
memory/2744-14-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2744-15-0x00000000045B0000-0x00000000045B5000-memory.dmp

Filesize
20KB

Download
memory/2744-16-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/3484-28-0x000001D9A82D0000-0x000001D9A82F8000-memory.dmp

Filesize
160KB

Download
memory/3484-29-0x000001D9A83E0000-0x000001D9A83E1000-memory.dmp

Filesize
4KB

Download
memory/3636-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3636-6-0x00007FF8E9150000-0x00007FF8E9787000-memory.dmp

Filesize
6.2MB

Download
memory/3636-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3636-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download
memory/3636-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads