Severity
Medium
Analysis Summary
TrickBot is a banking Trojan which targets sensitive information and acts as a dropper for other malware. Trickbot is usually spread via malicious malspam campaigns. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment. The TrickBot banking Trojan, one of the most persistent threats on the current landscape, has been uncovered targeting users from the UK with geofenced malicious spam. The spam email looks like this:
When a victim downloads the attachment, it requires user authentication of enabling macros. Upon clicking, payload is downloaded.
Impact
Exposure of sensitive data Credential theft Financial loss
Indicators of Compromise
MD5
f7ba28d76229a780717120f7fd0d6e37 b1d79a3bf998b8b7621ae5e965f7a0a4 a4824cda0d25d70efe66ea039e639ab4 5a7061e6c1ca578906ccac4fb3014790 acb475814b5d81cd05d65e07e5cdb9c4 97085bea673123dba7ee07e04c314fe5 12c1eb3250a11c9e9c2c9b0be5002b33 db45693dc3980a0c45782a82f8d51d7a ae8588731ed8b4a51de9b1c15d436520
SHA-256
1eada510670dffe57447c5a786a440c4472e416d6bb9ece2c018526e6447688c 5b53e93d56e20740ef468c0dc16bf4b0dc459007637874f1b2e8094f7d41e0a2 beb10ebe9c50b64a5ed3ac389970bca007efc4003aac0152955cfc43d14553cb 346ee8817352965cc2b186525a1362d44e9aecf7f9a08aad1f7865f447de12f1 7a0931294c47ca316d3628c77332410709b7d4978d2c5dffca2e12a581928e20 730398632d22d8b2a26649e6c44127fa1df8219e0bca29771939d449adb481f9 76523edc9cffb188d14ac6682bec7926b25777b412817cc3ce3597dd23a5972e f7068cc038a64f2d45f6a78e1e45f11dd1eadc2ad97c4fc2cbd995439a011785 6f48b2bab8659efd30c47c5883252feb17a174e637eafa8992746ce9aae660a7 0e52b69f392021522f3cd205701f66c3453615591e9367429732d6efd8f7af05 14237a377cec9b34c01b0007112b8c8658020024af84f7dd1e4a6087cb6b34fc 20c9bc71b314710dfa814a325e67024daad6ef64650dc862dfd5dabd5b0de09b 2c64c35727214c3294fbb484526fb659e770daf73ef3ed068199091b74fe70b1 2e5a57a5dc26e8a03b19cab7b202f58a58b6a37a09e0126ba5272d8ff9e95857 4112d6392209fe37538911eb4f8e15188045c41f774423df24d61e3769f8778d 625f20648bff976e1e0e6760bd505189b7b0b5b22d177b94d9eb5c13a13f8120 64e7fd6aa67c42ca0c81ba677c5a7b46ea364a92c367e1244681ec1445465b1b 6bf6aacd3ac91349df2c2fb1747946e6e655b66fd55a1febc6b01f85ee4d980a 6e010ed5ee255cf8d86fb9a1d494438d591039eb95413b93ca3cca3b5f56072f 7033e5a07ef9c5e45de59e394ba36df319a8640f6d30d9b9acd945146ad3281d 7e20153fdc83d18e475c6e5360e71f49dfed96f39f3441cd52ddb64bf4c674f8 984a861ee3129393f6196edf7933958aa2ea23a95a06dae257ebb9758c616dde a2f48b9ffa7ba2a54f86bf2980fa6682ee0deb3205813271d649c0addbbfdbb8 abd67e26a0f0db07a5d29f769687c1ad17308c7afc8aa60d161c7b3098785c03 cd832c4e1602d984c28d75fdee47afa5098b94b1cb2118a5e45d91c2267aca9a ce18a0e28233af9143b82bf1809c19aaa65b12fdca60b18bda5db298ac2d1de4 d2472641e76279123590196e251d3419b600c128b13173d0c64b852f24a12a80 ef03f5c6e52e96e9ea7bb00d454d3fa219be22f0ffa4fe8226b28b788c7e12e4 f92d3952c4cd454507645525fd50bbf58e9cd223cd9278d9a3fe88036b38c3b9
SHA1
adbdace8847aa3822dd94284337d9f6a9212189b e6a35a0de7d6fd3f623136718a7fd107b092bc73 96839ccd5375a672ab91eb68b8c355354ac115b7 33b53a6db814e2373c0c9e8d32feaa1f0bc67bb2 b152637766b37ea9f5202060d9a3f5d1e825aa6c 9ddd646df11570760cad8e8577d4541a466462ae
Source IP
51[.]81[.]112[.]144 88[.]218[.]16[.]9 185[.]82[.]126[.]178
URL
http[:]//185[.]82[.]126[.]178/api-exel[.]php http[:]//88[.]218[.]16[.]9/filecall-dll[.]php http[:]//88[.]218[.]16[.]9/file[.]php http[:]//185[.]82[.]126[.]178/trafficdll[.]php
Remediation
Block the threat indicators at their respective controls. Do not downloads any email attachments coming from untrusted email addresses.