General

  • Target

    asdpogasdjabn.exe

  • Size

    660KB

  • Sample

    201109-28h8hb5dsx

  • MD5

    3ba7d3dbc17ce640e0bb3dd5f989169b

  • SHA1

    84ee0b6e02339f1deb33d75693551db444923ba8

  • SHA256

    52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

  • SHA512

    3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      asdpogasdjabn.exe

    • Size

      660KB

    • MD5

      3ba7d3dbc17ce640e0bb3dd5f989169b

    • SHA1

      84ee0b6e02339f1deb33d75693551db444923ba8

    • SHA256

      52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

    • SHA512

      3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Blacklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks