[ Fake DnB documents malspam delivers Trickbot banking Trojan ]

I happened to chance upon this alert from Singapore Commercial Credit Bureau as shown in the image below.

I got interested in this since it’s a Singapore company giving this alert. I started looking at the samples from VirusTotal and found this interesting email.
An email with the subject of “FW: Case DNB928929” pretending to come from “Dun & BradStreet” but actually coming from a look-a-like domain “” with either a malicious zip attachment containing a .doc file or a .doc attachment delivering Trickbot banking Trojan.

As the malware authors are using email addresses that is similar to the real “Dun & BradStreet” and subjects that will scare or entice a user to read the email and open the attachment.

The email looks like:

The hash of the malicious doc is: 79344f12ecfbd478a564297e339067180625e83c7266c4cab39b2f68440fcb6b

If we were to analyse the malicious doc, we can see the following VBA within it.

For simplicity sake, i’ve made a simpler version to show the decoded string here: https://dotnetfiddle.net/31w0YF
As we can see from the code snippet below, the VBA in the malicious doc will download the payload from “http://calendarortodox[.]ro/serstalkerskysbox.png

That “serstalkerskysbox.png” is actually Trickbot
The hash of that Trickbot is 3e225d16e486fae7df684d73c6e4531fbaf203b898ea899623cf5150a0f13652

As hasherezade already made an awesome video on unpacking Trickbot. Users can just watch the youtube video and learn from it.

As a gentle reminder to all users.
PLEASE be very CAREFUL with email attachments. All of these emails usually use Social Engineering tricks to persuade you to open the malicious attachments that comes attached with the email.

Have Phun
Jacob Soo

[ TECHNICAL TEARDOWN: DBS MalSpam Attack – Bank Fund Transfer ]

Previously, we have written about MalSpam attack in Japan.

Recently, we have found several emails that are being sent out targeting DBS users.

[ Sample used in the analysis ]
MD5: 0a7150f13a5ad4e496992374082232f8
SHA256: d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
Sample: DBS.Malspam

[ Part 1 : Getting Started ]
For those who want to follow along.
Please do take note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Opening up the .eml file with VisualStudio Code, we can see that the email contain a malicious DOC file (271-20170627-55147_109.doc).

We can also see the contents of that email.
============================================
Dear Customer,

This attached Advice is sent to you for information only.

This is an automatically generated notification.

Please do not reply to this email. Contact us at our corporate hotline at 1800-222-2200 between
8:30am to 6:15pm, for any service requests.

Yours Sincerely,
DBS Bank Ltd

============================================

However, we are more interested in the malicious DOC file. Let’s Base64code decode that back into a DOC file. After decoding that back to a file, we can see that this malicious DOC file contains VBA as shown in the image below.

As the VBA is quite short, we can extract out the decryption method and make use of dotnetfiddle to have a quick decryption of the strings. I’ve made a simple fiddle to show the deobfuscated strings here:
https://dotnetfiddle.net/uniQB6

As you can see here, the VBA will attempt to download the payload from
http://wallpaperbekasi[.]co[.]id/bankadvise/271-20170627-55164_45PDF.exe

The downloaded payload is developed in VB.net.
A quick analysis on the downloaded payload indicates that it’s most likely a dropper.

So let’s load it up in OllyDbg and set a “BreakPoint” on “WriteProcessMemory
Now let’s do right-click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.

Now you can step through it and eventually you will reach to this point as shown in the image below.

Now right-click on “Buffer” and click on “Follow in Dump” and you can use HxD or Profiler to carve out the dropped payload.

Now dump out the dropped payload.
We can see that it’s yet another Obfuscated .NET malware.

We can use de4dot to deobfuscate it and we should get back a cleaner version of it as shown below.

As i don’t want to bore everyone. A quick look at the decoded strings, the malware is most likely AgentTesla.

The stolen credentials are sent back via email to:
username: tou013@efx.net.nz
password: etou01315

Here is the decoded strings
https://dotnetfiddle.net/PIJjBt

Thanks & Regards
Jacob Soo

SHA-256:
========
Emails containing malicious Doc
d69e487eb19b229901ab9857d508e9ec8e33bd5c5dbfd53b8caaa2de06f1565f
d38359359c5e7abc0b5118f2a7d2afa387b43ccdc52cf18d0e5fefc2f34bec0d
17224da53b266c1a7e487d95b57ad47c21dec82ca42056a785dd816555d46967
a988dd743fc359fc42d2c511f820c758dfc2c5c8301ced4bcfe5ac72672b1cdc

SHA-256:
========
Malicious Doc
db4703a6cea9b700cc17b527e7d0a4e228bdd41659bece18c65f0877724c87a4

SHA-256:
========
Downloaded Payload – 702a17b7accceaa6ffb817a3adf37323a34944d643cbb4524c4e6b7c0900c5e5
Dropped Obfuscated TeslaAgent – 4B6164F16309F6E8426FB89F4AF810929FE574B2EBB724F5CB2237863736E316
Deobfuscated TeslaAgent – 6EAD076346EC568160821BB47F49D463689656F102EDAA06DBA907FDAE3FD5AE