Overview

overview

10

Static

static

8

invoice at...t.docm

windows7_x64

10

invoice at...t.docm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invoice attachment.docm

  • Size

    188KB

  • Sample

    210922-szlnqaffhq

  • MD5

    4e3fe2ad8dc94dbf82847aa9c18e7efd

  • SHA1

    c6623f75c837d4579e3282bd5871516475d8af3a

  • SHA256

    712fd163cc98f8fb2055573336c606f17c66a22276dce9f6e9f909e3d6d23f16

  • SHA512

    98f80aa9bb78b990cd7497efa2c8badc0e3c3c7ef71211de3ccd4ab019959f41b6473888f9f7e52deb0f0c22e3a3c23ab630a8dab07c9209c8c46434153a79f7

Score
10/10
trickbotrob133bankermacrotrojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob133

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      invoice attachment.docm

    • Size

      188KB

    • MD5

      4e3fe2ad8dc94dbf82847aa9c18e7efd

    • SHA1

      c6623f75c837d4579e3282bd5871516475d8af3a

    • SHA256

      712fd163cc98f8fb2055573336c606f17c66a22276dce9f6e9f909e3d6d23f16

    • SHA512

      98f80aa9bb78b990cd7497efa2c8badc0e3c3c7ef71211de3ccd4ab019959f41b6473888f9f7e52deb0f0c22e3a3c23ab630a8dab07c9209c8c46434153a79f7

    Score
    10/10
    trickbotrob133bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks