Overview

overview

10

Static

static

tell.07.16.2021.doc

windows7_x64

10

tell.07.16.2021.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tell.07.16.2021.doc

  • Size

    87KB

  • Sample

    210716-1qj2kjgtmj

  • MD5

    81fc96326dc047f80bde695fadd17aa9

  • SHA1

    c7e6d9ef9a768bc37770aa81e4e4caad91e0baf3

  • SHA256

    de74367751f99bf856cb8b95e8fa1e6bb1f8405ccd0bb2a6ed0c4afadb2d868c

  • SHA512

    4e9c8e46deedec7f9171447721d89f26bc9b275f858de0b5e92182245fe1fed8b0a4857e10f90ea76627b7eb9743b1ee51ef3bcafbe37d976eddfdce3ef5da42

Score
10/10
trickbotzev1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      tell.07.16.2021.doc

    • Size

      87KB

    • MD5

      81fc96326dc047f80bde695fadd17aa9

    • SHA1

      c7e6d9ef9a768bc37770aa81e4e4caad91e0baf3

    • SHA256

      de74367751f99bf856cb8b95e8fa1e6bb1f8405ccd0bb2a6ed0c4afadb2d868c

    • SHA512

      4e9c8e46deedec7f9171447721d89f26bc9b275f858de0b5e92182245fe1fed8b0a4857e10f90ea76627b7eb9743b1ee51ef3bcafbe37d976eddfdce3ef5da42

    Score
    10/10
    trickbotzev1bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks