General

  • Target

    dilaryi8.exe

  • Size

    343KB

  • Sample

    200824-h2pr53zak6

  • MD5

    d02406a2b62215dc5d5a42e0c8e15f6e

  • SHA1

    7ffa70f90eb6bf01b2b7f3b2fde2fbe93ba6acc4

  • SHA256

    274170f2acf032561911675964fe1852e63e5af6bf97c3a76d6273cf7b5bf1c0

  • SHA512

    c6879fa99d961dc1bfc07e136d89054ca94087ca8e3fa50b12b389c983b4e46eae6243cb756947e11eb62c458f8e8b9f652a3069c5ab738575a0c2bd844658b7

Malware Config

Extracted

Family

trickbot

Version

1000102

Botnet

mac1

C2

79.106.41.9:449

185.21.149.41:449

200.111.97.235:449

67.209.219.92:449

209.205.188.238:449

73.252.252.62:449

76.16.105.16:449

82.202.236.84:443

78.155.199.124:443

179.43.160.45:443

94.250.253.142:443

5.200.55.47:443

37.60.177.19:443

94.250.255.50:443

82.146.48.44:443

194.87.93.30:443

194.87.94.225:443

195.62.53.88:443

82.146.48.241:443

195.88.209.128:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      dilaryi8.exe

    • Size

      343KB

    • MD5

      d02406a2b62215dc5d5a42e0c8e15f6e

    • SHA1

      7ffa70f90eb6bf01b2b7f3b2fde2fbe93ba6acc4

    • SHA256

      274170f2acf032561911675964fe1852e63e5af6bf97c3a76d6273cf7b5bf1c0

    • SHA512

      c6879fa99d961dc1bfc07e136d89054ca94087ca8e3fa50b12b389c983b4e46eae6243cb756947e11eb62c458f8e8b9f652a3069c5ab738575a0c2bd844658b7

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Windows security bypass

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Tasks