Pulling apart a Trickbot banking trojan email

Rarely do I get emails with malicious attachments in or emails with malicious links embedded and when I do I love to see what is going on.

This afternoon (Tuesday) I received the below. It is fairly standard and partly believable however this is slightly different. Normally when you hover over the link it reveals some random domain which is made up of numbers & letters or just one which is hijacked.



The link shown was: https://companieshousewebfilling.co.uk/CaseC***********.zip.



Whois for the domain states it was registered today at GoDaddy and the hosting IP address of 160.153.131.150 is also at the same host. If you visit the base domain it re-directs to the official site.



If you click on the link it will ask you to download a zip which has a .js file in it.



MetaScan gives a 3/40 detection rating and Jotti & VirusTotal is not much greater.



You have to click about four times to get this piece of malware to infect you. 1. Click on link, 2. Click open/save zip, 3. Open zip and 4. Open .js file. You will notice in the above code snippet nothing is readable - all is encoded.

https://www.hybrid-analysis.com/sample/c60032f7ecf025ac34921aa75812ef33988bcd0779d08467a6275bcea65e11da?environmentId=100

What happens if you click on it? It downloads geraldosithx.png, which you are probably wondering a PNG is an image file. PNG is used since it is unlikely going to be blocked. Next it gets renamed to an .exe and placed in %temp%. The domain name the files comes from is grseeds.com. That domain is Thai and has been used for over two years maliciously.

If you wish to dive deeper, read the report from Hybrid Analysis. The end .exe is Trickbot banking Trojan which wants to grab banking credentials. If this infected a business then it is likely they being a business would have more cash in the bank account.