Overview

overview

10

Static

static

8

Invoice 717.xlsb

windows7_x64

10

Invoice 717.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice 717.xlsb

  • Size

    97KB

  • Sample

    210513-pphlssvah2

  • MD5

    aae44c3735592848cee672f1b4806026

  • SHA1

    52cd5e0535d6562193a84005cf0f20ed1da7f54e

  • SHA256

    587ab4f5569b3d5064b93f4d8e12ff8ab7399a03a0c3304c8865db2b187b2272

  • SHA512

    7f9d3aa31499086fd52c9f351d2f216f061268e2ca4dd9a4722bce8245cebc8122018a7ec221fb4e10400e04c32a6e6731e0c4e9e620a742aa6d2ce44a431e7a

Score
10/10
trickbotnet16bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://mastercarebath.com/wp-netmon.dll

Extracted

Family

trickbot

Version

2000029

Botnet

net16

C2

103.66.72.217:443

117.252.68.211:443

103.124.173.35:443

115.73.211.230:443

117.54.250.246:443

131.0.112.122:443

102.176.221.78:443

181.176.161.143:443

154.79.251.172:443

103.111.199.76:443

103.54.41.193:443

154.79.244.182:443

154.79.245.158:443

139.255.116.42:443

178.254.161.250:443

178.134.47.166:443

158.181.179.229:443

103.90.197.33:443

109.207.165.40:443

178.72.192.20:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      Invoice 717.xlsb

    • Size

      97KB

    • MD5

      aae44c3735592848cee672f1b4806026

    • SHA1

      52cd5e0535d6562193a84005cf0f20ed1da7f54e

    • SHA256

      587ab4f5569b3d5064b93f4d8e12ff8ab7399a03a0c3304c8865db2b187b2272

    • SHA512

      7f9d3aa31499086fd52c9f351d2f216f061268e2ca4dd9a4722bce8245cebc8122018a7ec221fb4e10400e04c32a6e6731e0c4e9e620a742aa6d2ce44a431e7a

    Score
    10/10
    trickbotnet16bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks