Overview

overview

10

Static

static

8

files_09.15.2021.doc

windows7_x64

10

files_09.15.2021.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    files_09.15.2021.doc

  • Size

    68KB

  • Sample

    210915-qx1nradgem

  • MD5

    0a529d4c2ab5cdbafd2014562e25d10a

  • SHA1

    6c19cb8f98ca9deb0fb0e06a080bec7f80be8e20

  • SHA256

    c02297277ee3d2a8690fcb3f8ac09ee1b34b3a806cee94a31da1b8547592a4d1

  • SHA512

    90ad1809ca5d5ef891f8d3d23edcc9944d5f63c3c054518c8cba10927fbc3db9649aeab4ab1f2f036900ba38ddd9e27931aa77ec160c4c1f01a34ed63d6aaf45

Score
10/10
trickbotzev4bankermacrotrojanxlm

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

zev4

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      files_09.15.2021.doc

    • Size

      68KB

    • MD5

      0a529d4c2ab5cdbafd2014562e25d10a

    • SHA1

      6c19cb8f98ca9deb0fb0e06a080bec7f80be8e20

    • SHA256

      c02297277ee3d2a8690fcb3f8ac09ee1b34b3a806cee94a31da1b8547592a4d1

    • SHA512

      90ad1809ca5d5ef891f8d3d23edcc9944d5f63c3c054518c8cba10927fbc3db9649aeab4ab1f2f036900ba38ddd9e27931aa77ec160c4c1f01a34ed63d6aaf45

    Score
    10/10
    trickbotzev4bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks