Overview

overview

10

Static

static

radiance.p...et.exe

windows7_x64

10

radiance.p...et.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    radiance.png.pellet

  • Size

    532KB

  • Sample

    201124-6fm1ely71s

  • MD5

    e8a28a5d13c44e81779b7f499224e5bf

  • SHA1

    52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

  • SHA256

    696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

  • SHA512

    fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Score
10/10
trickbottot352bankerevasionpersistencespywaretrojan

Malware Config

Extracted

Family

trickbot

Version

1000298

Botnet

tot352

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

188.68.209.153:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      radiance.png.pellet

    • Size

      532KB

    • MD5

      e8a28a5d13c44e81779b7f499224e5bf

    • SHA1

      52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

    • SHA256

      696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

    • SHA512

      fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

    Score
    10/10
    trickbottot352bankerevasiontrojanpersistencespyware

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks