Overview

overview

10

Static

static

0a30c8ec3a...eb.exe

windows7_x64

10

0a30c8ec3a...eb.exe

windows10_x64

10

0e5992163d...9c.exe

windows7_x64

10

0e5992163d...9c.exe

windows10_x64

10

17476cfc79...b97b55

linux_amd64

17476cfc79...b97b55

linux_mipsel

17476cfc79...b97b55

linux_mips

1ba5ce4390...83.exe

windows7_x64

10

1ba5ce4390...83.exe

windows10_x64

10

1d1003dba4...90.exe

windows7_x64

10

1d1003dba4...90.exe

windows10_x64

10

2994de3557...5d.exe

windows7_x64

10

2994de3557...5d.exe

windows10_x64

10

502ef08d3a...82.exe

windows7_x64

10

502ef08d3a...82.exe

windows10_x64

10

510ca04bda...6e.exe

windows7_x64

10

510ca04bda...6e.exe

windows10_x64

10

59ff60ff16...be.exe

windows7_x64

10

59ff60ff16...be.exe

windows10_x64

10

5f3aa837a2...b4.exe

windows7_x64

10

5f3aa837a2...b4.exe

windows10_x64

10

60dd8ddc33...ce.exe

windows7_x64

10

60dd8ddc33...ce.exe

windows10_x64

10

65f262b210...f0f6b3

linux_mips

6a229bd180...afae50

linux_amd64

6a229bd180...afae50

linux_mipsel

6a229bd180...afae50

linux_mips

6d75489cc9...e8.exe

windows7_x64

10

6d75489cc9...e8.exe

windows10_x64

10

860a424a67...f9.exe

windows7_x64

10

860a424a67...f9.exe

windows10_x64

10

8656f06dda...af.exe

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Local Virus Copies 1.zip

  • Size

    5.8MB

  • Sample

    210113-7jq74rj4rn

  • MD5

    f655a5fe62afb6cbc3f4663e29ede565

  • SHA1

    4b13ce6720de2a35d0f584c72df1dac798a9aebf

  • SHA256

    401ea10bc72be6dbf1463f5fe77e28c1f23bf55477752a19a574e210ec425e6e

  • SHA512

    19510fd46fc15fa0887e350664ffc205ad6a4146c34b976bd15715ff78f0286abae8bc08b9201c1a5ad5ee64c4840a28bcd862a16a0bcb3b71a8c755344f7cb2

Score
10/10
trickbotlib5tot5bankerlinuxtrojan

Malware Config

Extracted

Family

trickbot

Version

100009

Botnet

tot5

C2

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
ecc_pubkey.base64

Extracted

Family

trickbot

Version

100009

Botnet

lib5

C2

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
ecc_pubkey.base64

Targets

    • Target

      0a30c8ec3ab86e933c7689b45546ba29c3d723331b9c04d147ec7ecbacba13eb

    • Size

      432KB

    • MD5

      babeef71d5a5a9657800a922cbe9e8f2

    • SHA1

      c45641f6aaea140899ea5ba07e60d609803e40bd

    • SHA256

      0a30c8ec3ab86e933c7689b45546ba29c3d723331b9c04d147ec7ecbacba13eb

    • SHA512

      bb71e8480f5153254ac5ba8121da3586940389e62fcafc6e6c7aefbb4a6444e24fd9e9bafbb34aaf5926f18d681dfb9514257d7e3b32cb4173b18396f90a0af6

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      0e5992163d33a3699a6ef399dd08fbbc431db3ae61cc741e0eeca6095a1d419c

    • Size

      424KB

    • MD5

      520394c31ed744fa35923374e013c70e

    • SHA1

      9602266b5effdf24bfa8348516879f491fed937e

    • SHA256

      0e5992163d33a3699a6ef399dd08fbbc431db3ae61cc741e0eeca6095a1d419c

    • SHA512

      508d7478e4e1c783ccdeb2ae63a91de532c90c75c133fed556f674dc94029debf17e1f55d93586613f13ae2df2966929aa521908e679c469bd1eda713c9c71e0

    Score
    10/10
    trickbotlib5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55

    • Size

      110KB

    • MD5

      6c7764f1bd39427078b73d4a9bc50eaf

    • SHA1

      5ceb8e46f96bf123cfc791d3ad1b9f6cfabe0080

    • SHA256

      17476cfc79afe3df65226910b7a3660d42c859702a0c40c40f6e56712eb97b55

    • SHA512

      d63a79013f502e065513ae28ecb4f72d962d5bb5bec286444d42ab9dfdb4838a7b398d258184ee0e50f03fbaec63f4af67769858be2abbe54fe0d4fe476d15e9

    Score
    1/10
    behavioral5behavioral6behavioral7

    • Target

      1ba5ce4390091732440cc4b097f1daa11784918ced39dd36d73a8864531ecc83

    • Size

      424KB

    • MD5

      43c71aec4f0757115ef550a63152e1ea

    • SHA1

      a53c17953c52416563eed0b727bc80dabdbf0a40

    • SHA256

      1ba5ce4390091732440cc4b097f1daa11784918ced39dd36d73a8864531ecc83

    • SHA512

      59b09781878d18f10620289acc0a2ba075fd2820d76c90ebb6f9619fc9a77ec2939a3cf4ca7757917e50f349e8fc8827abdf93d9442731d7b642d43454da0ad0

    Score
    10/10
    trickbotlib5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral8behavioral9

    • Target

      1d1003dba4c6ef333cd8e5cfee1eddc24721940ef22d4bee4fe8c3382c591590

    • Size

      424KB

    • MD5

      01994d42b90530a23eeea4e8d1289737

    • SHA1

      7cb3edb949a6e6522795f280a807a0725a0af2bc

    • SHA256

      1d1003dba4c6ef333cd8e5cfee1eddc24721940ef22d4bee4fe8c3382c591590

    • SHA512

      248927632a80597d9916d9ffcf449e021ea1adeeb06babd95d0102b929a8ca9d97575d50ff67e1c71e8b34c46bd571f6bb1093376f99fb88e3759e4b609560e4

    Score
    10/10
    trickbotlib5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral11

    • Target

      2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d

    • Size

      432KB

    • MD5

      f61419f981d3972f24a149c338f7d163

    • SHA1

      d1552af73d6150472aff0b9541c714048881720d

    • SHA256

      2994de35577bd3962fef952226d3c0a57dceebd278e03dbc158c67ea79db1e5d

    • SHA512

      74ad74d0ccfec137def0e5c17b9521b2d1efba20970e5e8e5d0432db465bafbf6d26db6c9852fb5f8200c31abfabfa0dc7df5e3c8835d7cc89ad80141ab0b2c5

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral12behavioral13

    • Target

      502ef08d3a7c0ad21563f566a16f7e704536cfe236975ae9448fc1a4a2def182

    • Size

      432KB

    • MD5

      528d4c7f75728d6d9f428cf8784347d5

    • SHA1

      c328675b484b71fe227091e8eba672e7e93525a9

    • SHA256

      502ef08d3a7c0ad21563f566a16f7e704536cfe236975ae9448fc1a4a2def182

    • SHA512

      3dcb854e0f88029959100f919750bc69c27c9d7c1979e21827704cef2ec688e744839a4e7dfb61bc2736f121858338c6d6cc5c816cf5ed551f464079b9e0b0ac

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral14behavioral15

    • Target

      510ca04bdaf2469ce106881125c61c371b492cfa7c3426448dcaa2de7a578b6e

    • Size

      432KB

    • MD5

      3e3d601d9aa9be79e014cad137fd35a8

    • SHA1

      e193f9e447de77f19dedbfa3a4273a97facc4a11

    • SHA256

      510ca04bdaf2469ce106881125c61c371b492cfa7c3426448dcaa2de7a578b6e

    • SHA512

      1ecc40b2ae50ad8856aa3e97de8a2b3fd49a4e318b2dab99f411fc7104a0247bb67b5d228858d6901e8ad9009b3322b789a185f5b83f3b1f99cfb09787a0a91c

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral16behavioral17

    • Target

      59ff60ff16327d9d23d822e7c5c9468b52a6ffc81b7ba5abc4077402904053be

    • Size

      424KB

    • MD5

      409039706aaca03c4b89133bc0d488db

    • SHA1

      93940a314e86a8dcdce6bfe2ce49fd3c936a5341

    • SHA256

      59ff60ff16327d9d23d822e7c5c9468b52a6ffc81b7ba5abc4077402904053be

    • SHA512

      ce4d96572183b17ca5e60cc7b2991eb91564995d98371021444107d0515f1bc20fd2212e264ed12a96903270c9d78f8c50c8bae899c95df49248feb64f5f626e

    Score
    10/10
    trickbotlib5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral18behavioral19

    • Target

      5f3aa837a2ee484fd6f0791b409bae6638dfc248bbbd50917edf35d1df949fb4

    • Size

      424KB

    • MD5

      a363d3eb01fe3f7885fd4fbefe6618b8

    • SHA1

      e51c0633acb7c1d042cf61e9100baadc6b1cf865

    • SHA256

      5f3aa837a2ee484fd6f0791b409bae6638dfc248bbbd50917edf35d1df949fb4

    • SHA512

      d8df8a1fbf09071acc48139fa019d8150698ab7b8647e8393fdc34e9b19d3a4d21ccc9e63253638fcbf7950ed48badf0d41981abdccb24c78368190fb591f416

    Score
    10/10
    trickbotlib5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral20behavioral21

    • Target

      60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce

    • Size

      424KB

    • MD5

      40163c8a35e475ecf5d6cb0a81f6662c

    • SHA1

      5f5ee80e01da7e5f649da6b9389778bd9c588a69

    • SHA256

      60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce

    • SHA512

      ab1c6f5f595e9e320094dd9c091a2f7f6d7750c45b86a8db73b97b76c60d0fc496149a73cde75d71360ad6a621697f4938d74d1f58fae106f7640128d3e673bb

    Score
    10/10
    trickbotlib5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral22behavioral23

    • Target

      65f262b210c258048e07f19bb1652a88c1e4bf77d615bb387793038249f0f6b3

    • Size

      110KB

    • MD5

      d882ebd42dc83e4762cad3146e11e2e3

    • SHA1

      7ff4661028979c03b37b4c6cb94dcd0cc3f0ff06

    • SHA256

      65f262b210c258048e07f19bb1652a88c1e4bf77d615bb387793038249f0f6b3

    • SHA512

      4a49dcef150954ef676036c5d9218f580fec8f9ce12d9bded7e0b2baa62fce406126b5ddee576601a6bfd8b32dec225aaf001f548b2373f4a51638ab3b90c73e

    Score
    1/10
    behavioral24

    • Target

      6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50

    • Size

      108KB

    • MD5

      74c168fb5c77bd21e9f9d203345e515d

    • SHA1

      73c6884a360d419b8b16cf1b5b03f692b74e1294

    • SHA256

      6a229bd180d32e84e25127aec9b2270c0dd4691fac68daab2f912c6d7cafae50

    • SHA512

      b3171b52f2d224dfdf59543581c2c698f28354dbead41592bf705282baff969e87279f40bfcb10c3ae98c26408b5a5077f69eed84418d2c18f059026a70a91a9

    Score
    1/10
    behavioral25behavioral26behavioral27

    • Target

      6d75489cc9810744aef3870bfc98b986fee040ea989ab2ed635823ba957d16e8

    • Size

      432KB

    • MD5

      38e9047a488956a94e7b864948f288bf

    • SHA1

      c60c8cf6b5988cbe2983707beb19e08a4feda2c8

    • SHA256

      6d75489cc9810744aef3870bfc98b986fee040ea989ab2ed635823ba957d16e8

    • SHA512

      e41cc10163e2bf5cac19b4d8d6cb2322a76634327db2862c6c0ee74f55850083bc37a9bef63ff217ce776f3746b735cac68f8611d4207c8be70116415983805c

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral28behavioral29

    • Target

      860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9

    • Size

      432KB

    • MD5

      2416b3fead57166f33e05c52bc35faeb

    • SHA1

      29a0be9b3e09758c3b40400e6a971fa6c85f14f1

    • SHA256

      860a424a6740843be55e2e932b0a666baf082539c40e30e0808acd41276967f9

    • SHA512

      a94cf5d20d3e923ba9fb8055752efe372bc4553d5c77a5c04eb84d3f3933c7014059bc0ed9361aaf196ca9510b15f386cadb14e85b3c9992be066d8eb4773069

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral30behavioral31

    • Target

      8656f06dda3c483ea02a8cf036ed4ea59e1ba36637cf55be6fb77f3f6e8f90af

    • Size

      432KB

    • MD5

      a45334e07ee0b06a93fe4195ca1608e7

    • SHA1

      7fd331f655ba9efc9884567fb6960ea3571f0811

    • SHA256

      8656f06dda3c483ea02a8cf036ed4ea59e1ba36637cf55be6fb77f3f6e8f90af

    • SHA512

      60a8d6dec0aca377967320c2e85fca4af0b10db3be1c57cac86093c4a46c121fca11fb359924e38dc572d3edb997551f00531b29c8f95ee01355bd8b43d5d314

    Score
    10/10
    trickbottot5bankertrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral32

MITRE ATT&CK Matrix

Tasks

static1

Score
N/A

behavioral1

trickbottot5bankertrojan
Score
10/10

behavioral2

trickbottot5bankertrojan
Score
10/10

behavioral3

trickbotlib5bankertrojan
Score
10/10

behavioral4

trickbotlib5bankertrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

trickbotlib5bankertrojan
Score
10/10

behavioral9

trickbotlib5bankertrojan
Score
10/10

behavioral10

trickbotlib5bankertrojan
Score
10/10

behavioral11

trickbotlib5bankertrojan
Score
10/10

behavioral12

trickbottot5bankertrojan
Score
10/10

behavioral13

trickbottot5bankertrojan
Score
10/10

behavioral14

trickbottot5bankertrojan
Score
10/10

behavioral15

trickbottot5bankertrojan
Score
10/10

behavioral16

trickbottot5bankertrojan
Score
10/10

behavioral17

trickbottot5bankertrojan
Score
10/10

behavioral18

trickbotlib5bankertrojan
Score
10/10

behavioral19

trickbotlib5bankertrojan
Score
10/10

behavioral20

trickbotlib5bankertrojan
Score
10/10

behavioral21

trickbotlib5bankertrojan
Score
10/10

behavioral22

trickbotlib5bankertrojan
Score
10/10

behavioral23

trickbotlib5bankertrojan
Score
10/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

trickbottot5bankertrojan
Score
10/10

behavioral29

trickbottot5bankertrojan
Score
10/10

behavioral30

trickbottot5bankertrojan
Score
10/10

behavioral31

trickbottot5bankertrojan
Score
10/10

behavioral32

trickbottot5bankertrojan
Score
10/10