Emotet leads to ICEDID and than to TRICKBOT
ICEDID a new banking active TROGEN searved by Emotet. Emotet as a distribution operation for banking Trojans and other malware codes this year.
Emotet itself comes via malspam, usually inside rigged productivity files that contain malicious macros. Once Emotet infects the endpoint, it becomes a silent resident and is operated to serve malware from other cybercriminal groups
The TrickBot malware family has been live for several years, mainly focused on stealing victim’s online banking information.
TrickBot downloaded by opening an excel file .Using a malicious Macro VBS code that is executed when the victim opens the file in Microsoft Excel.
The VBA code starts with the function “Workbook_Open”, which is called automatically when the Excel file is opened. It then reads data from Text control, which is encoded Powershell code.
Finally, the Powershell code is executed to download the file from “hxxp://excel-office.com/secure.excel” and save it to a local temporary folder with the name “pointer.exe” whereupon it runs it. As you may have guessed, the “pointer.exe” file is actually TrickBot.Task Schduler Starts TrickBot to load pwgrab32
IOC >>>>>
<handler>http://173.171.132.82:8082</handler>
<handler>http://66.181.167.72:8082</handler>
<handler>http://46.146.252.178:8082</handler>
<handler>http://97.88.100.152:8082</handler>
<handler>http://174.105.232.193:8082</handler>
<handler>http://23.142.128.34:80</handler>
<handler>http://177.0.69.68:80</handler>
<handler>http://5.228.72.17:80</handler>
<handler>http://174.105.232.193:80</handler>
<handler>http://177.0.69.68:80</handler>
<handler>http://23.226.138.220:443</handler>
<handler>http://23.226.138.196:443</handler>
<handler>http://23.226.138.221:443</handler>
<handler>http://92.38.135.151:443</handler>
<handler>http://198.23.252.204:443</handler>
How to remove this malware:
1) Open Task Scheduler and go to Task Scheduler(Local) -> Task Scheduler Library
2) Select the item named “Msnetcs”, press the Delete key, and then click Yes.
3) Restart your system and delete the entire folder of %AppData%
IoC - URL:
"hxxp://excel-office.com/secure.excel "
Sample SHA256:
41288C8A4E58078DC2E905C07505E8C317D6CC60E2539BFA4DF5D557E874CDEC
D5CADEF60EDD2C4DE115FFD69328921D9438ACD76FB42F3FEC50BDAAB225620D
0 comments:
Post a Comment