Overview

overview

10

Static

static

bid 07.16.2021.doc

windows7_x64

10

bid 07.16.2021.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2021-07-16-TA551-email-example.eml

  • Size

    56KB

  • Sample

    210716-wtvmasx7as

  • MD5

    7e824fa00e10e1e7aada2c6fb3843896

  • SHA1

    1704a904ecda0a9c772e47d984a45d688f242ced

  • SHA256

    c3c714fb6f2acbe9119203d980972629042e9f200fe8c4bc0f19381e4118f07d

  • SHA512

    c02ac24c80b497224ebb2220f6f82726963b1d6c86c81dbb00cc50006cfa1b08c564afafb35918a39c679c2f47aa7f9668b3c869fe1207f0767e2f0187bc916c

Score
10/10
trickbotzev1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      bid 07.16.2021.doc

    • Size

      87KB

    • MD5

      0890bb39965b1007390c179a91c746e5

    • SHA1

      d8f074893054deeee451e6c005b342807c9ad239

    • SHA256

      807ae0df3ec8455f90dafd7835e191a4de5979c70f1a30b912278809b8a9dd17

    • SHA512

      2b2cfd89edf25cc23a6c6c8c76c4c70a192bdcc025880a296bb8b4bc5f04cf2e45ced015049a4ecf45ad988afcdc30b8ba0a7886ffd7f5984ddd4e59b21c05d6

    Score
    10/10
    trickbotzev1bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks