Description
This typically indicates the parent process was compromised via an exploit or macro.
RNP-00152.xlsm
General
Target
Size
Sample
RNP-00152.xlsm
87KB
211021-sk6eksbdaj
Score
10 /10
MD5
SHA1
SHA256
SHA512
7ac2366ab4515b9f37be3187deea9bc0
c4cee812f0fb97c510e149a28c1a55b6c5da2c9e
0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d
db221383ef594bb4b2be2fac9a33f465dac8cdaaf4aafa8b376e57ef5ab337c596379100972c9809d79a5ad8293b2a1294308a23b0ee22512aa474f8d0e7fe7e
Malware Config
Extracted
| Family | trickbot |
| Version | 100019 |
| Botnet | rob136 |
| C2 |
65.152.201.203:443 185.56.175.122:443 46.99.175.217:443 179.189.229.254:443 46.99.175.149:443 181.129.167.82:443 216.166.148.187:443 46.99.188.223:443 128.201.76.252:443 62.99.79.77:443 60.51.47.65:443 24.162.214.166:443 45.36.99.184:443 97.83.40.67:443 184.74.99.214:443 103.105.254.17:443 62.99.76.213:443 82.159.149.52:443 |
| Attributes |
autorun
Name: pwgrabb
Name: pwgrabc
|
| ecc_pubkey.base64 |
|
Targets
Target
MD5
Filesize
RNP-00152.xlsm
7ac2366ab4515b9f37be3187deea9bc0
87KB
Score
10 /10
SHA1
SHA256
SHA512
c4cee812f0fb97c510e149a28c1a55b6c5da2c9e
0b149fc1f48da1d2c02d778be120427483403cd7519fc7f69e741288b120cb9d
db221383ef594bb4b2be2fac9a33f465dac8cdaaf4aafa8b376e57ef5ab337c596379100972c9809d79a5ad8293b2a1294308a23b0ee22512aa474f8d0e7fe7e
Tags
Signatures
-
Process spawned unexpected child process
-
Trickbot
Description
Developed in 2016, TrickBot is one of the more recent banking Trojans.
Tags
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks