General

  • Target

    cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58

  • Size

    624KB

  • Sample

    201113-a4etz3xar2

  • MD5

    e1d32800e12d4df430e9f016bfba70b3

  • SHA1

    2aadf50c972d6dcbd439896a2cb5446f4fa8eebc

  • SHA256

    cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58

  • SHA512

    870fdbdadefbfab69887c50b253270cce3ce9da90092b11a6d26bd4989a98182833f07be7836109ee2e157d698139c8ed1094cf2f53d4483458b50a04410da13

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58

    • Size

      624KB

    • MD5

      e1d32800e12d4df430e9f016bfba70b3

    • SHA1

      2aadf50c972d6dcbd439896a2cb5446f4fa8eebc

    • SHA256

      cdfee4284b9ef2c76b7198c1e21118c19be395ac76d3485d50d0ff63faa21d58

    • SHA512

      870fdbdadefbfab69887c50b253270cce3ce9da90092b11a6d26bd4989a98182833f07be7836109ee2e157d698139c8ed1094cf2f53d4483458b50a04410da13

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Tasks