Overview

overview

10

Static

static

30 mins

windows7_x64

10

30 mins Win10

windows10_x64

10

Resubmissions

23-11-2020 11:51

201123-ypblgj22k2 10

20-11-2020 11:47

201120-y2cng92bq6 10

20-11-2020 11:44

201120-5yd27gn712 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    trick.dll

  • Size

    272KB

  • Sample

    201123-ypblgj22k2

  • MD5

    5f7b5a98f75f4aa550e4368eb6dc9733

  • SHA1

    d835a309e249f5d526529b9a28ed138b1bcfd40b

  • SHA256

    c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a

  • SHA512

    167e5e1af1c82b9379d4a275f77b373969c0655d0b4f6ea32942d70f18b1147e65ef525e8f8f2d3d27c0ebf914785ce7b15e7808c3ca1700983bbc9eb318ebac

Score
10/10
trickbotrob7bankerdavepersistencespywaretrojan

Malware Config

Extracted

Family

trickbot

Version

100003

Botnet

rob7

C2

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      trick.dll

    • Size

      272KB

    • MD5

      5f7b5a98f75f4aa550e4368eb6dc9733

    • SHA1

      d835a309e249f5d526529b9a28ed138b1bcfd40b

    • SHA256

      c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a

    • SHA512

      167e5e1af1c82b9379d4a275f77b373969c0655d0b4f6ea32942d70f18b1147e65ef525e8f8f2d3d27c0ebf914785ce7b15e7808c3ca1700983bbc9eb318ebac

    Score
    10/10
    trickbotrob7bankerpersistencespywaretrojandave

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Blacklisted process makes network request

    • Dave packer

      Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

      dave

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks