General

  • Target

    9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8

  • Size

    768KB

  • Sample

    210324-gnr6t2szcs

  • MD5

    5bb0b118834c3af28feedc0d594b9b2f

  • SHA1

    403cc32f641133f41a5f1a9b8746871d87348f00

  • SHA256

    9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8

  • SHA512

    5ec7d61513c6c81df3febcc8d70f6dba6aae870ad62dc0d58fa53f8792f73ec6464393936a34b5a411c4dbdc49ad410b06922439f40f3669e166ed2e2b527524

Malware Config

Extracted

Family

trickbot

Version

100013

Botnet

mon126

C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8

    • Size

      768KB

    • MD5

      5bb0b118834c3af28feedc0d594b9b2f

    • SHA1

      403cc32f641133f41a5f1a9b8746871d87348f00

    • SHA256

      9f46729f68497f8aa905e1f8ed3d197d5924a8d7acee4813b1549e6ede0cc6a8

    • SHA512

      5ec7d61513c6c81df3febcc8d70f6dba6aae870ad62dc0d58fa53f8792f73ec6464393936a34b5a411c4dbdc49ad410b06922439f40f3669e166ed2e2b527524

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks