Overview

overview

10

Static

static

8

doc.xlsm

windows7_x64

10

doc.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    doc.xlsm

  • Size

    210KB

  • Sample

    211020-wxa1zshea3

  • MD5

    7eaa8c20b9840547b206f2dd21ac11b6

  • SHA1

    6eaaa24a1d5164dca972e928d62a4c1cf6523689

  • SHA256

    9cf7aef7011220c83deb3587e15b09bdfd16da64f3c23739d860ef183afb0d22

  • SHA512

    9cc2095e15a3261ef9d4101ae363c44a54412db86a1556f09b441379b7291d12c4d1ce554b67f584a275730e6d03d4958255ca4c649e206a83bd560ff29636a9

Score
10/10
trickbotsat4bankermacrotrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://185.81.115.23/ytr.dll

Extracted

Family

trickbot

Version

100019

Botnet

sat4

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      doc.xlsm

    • Size

      210KB

    • MD5

      7eaa8c20b9840547b206f2dd21ac11b6

    • SHA1

      6eaaa24a1d5164dca972e928d62a4c1cf6523689

    • SHA256

      9cf7aef7011220c83deb3587e15b09bdfd16da64f3c23739d860ef183afb0d22

    • SHA512

      9cc2095e15a3261ef9d4101ae363c44a54412db86a1556f09b441379b7291d12c4d1ce554b67f584a275730e6d03d4958255ca4c649e206a83bd560ff29636a9

    Score
    10/10
    trickbotsat4bankertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks