Saturday, March 7, 2020

Analysis of latest Trickbot malware sample - served in excel attachment

Twitter link:
https://twitter.com/James_inthe_box/status/1233086420857708544

The malware sample of trickbot was already submitted in the anyrun online sandbox for malware analysis.
https://app.any.run/tasks/e6c13b94-9234-4709-ac42-2461b94725e9/




We collected this malware sample and performed a manual analysis. The file details are:


Searched this hash in the VirusTotal for detection hits:


File name: Unpaid_invoice_1462.xls

File size: 109.5 KB
SHA256: 9e777e1e2e80909b5054c1eca935edc7046feb7d4546f40d392549e2f481d08e
MD5: 1f38f17810621dbff93a4e8cbd2ea1bf

This excel embedded with a macro that connects to a suspicious URL. We executed the malware in our VM, it prompts to enable the macro. After enabling, it to try to connect the following Link:

URL: pnxkntdl(.)xyz/KJSDBViad7

Currently, it didn’t download any other payloads.



Post made by
newWorld
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...