trickbot | 126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef | Triage

Sharing

General

Target

126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
Size

600KB
Sample

201115-wakft648gn
MD5

842590a5c639634c2ab40919616fb7f0
SHA1

b36cb812850b41394bb50172faddb44ade00fcdf
SHA256

126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
SHA512

a3a75692a5d97bb9f5181e2376cd1b08ca1053ca1b904496632b970df286ad11af2a540d1ac30c0c2a558b95d79e3fc2eaaa0844448dcad038bc555a1cbde9a9

Score

10^/10

trickbot lib7 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000016

Botnet

lib7

C2

202.136.89.226:449

202.169.244.252:449

203.176.135.38:449

212.3.104.50:449

41.203.215.122:449

41.41.179.239:449

43.239.152.240:449

43.242.141.59:449

43.245.216.190:449

43.255.113.180:449

45.230.8.34:449

45.233.25.6:449

78.138.128.20:449

49.156.41.74:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
- Size
  
  600KB
- MD5
  
  842590a5c639634c2ab40919616fb7f0
- SHA1
  
  b36cb812850b41394bb50172faddb44ade00fcdf
- SHA256
  
  126119655bf88be629e8cb7af17b74ed7316557a170e43bb518ce3072d1b6aef
- SHA512
  
  a3a75692a5d97bb9f5181e2376cd1b08ca1053ca1b904496632b970df286ad11af2a540d1ac30c0c2a558b95d79e3fc2eaaa0844448dcad038bc555a1cbde9a9
Score

10^/10

trickbot lib7 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

trickbotlib7bankertrojan

behavioral2

trickbotlib7bankertrojan