Triage | Malware sandboxing report by Hatching Triage

Resubmissions

04-05-2021 21:49

210504-vy6bjrf15e 10

12-04-2021 15:59

210412-pzkl1vf56j 10

12-04-2021 15:21

210412-wmdnkzp5la 10

Sharing

General

Target

click.php.dll
Size

439KB
Sample

210504-vy6bjrf15e
MD5

cbea511bd35f247e4b4bf7cc5a3a7cbd
SHA1

8c0d352934271350cfe6c00b7587e8dc8d062817
SHA256

0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8
SHA512

aec894d9d3aaccccc029c615d283af4946c5150372db0ecdd616a9d491478759068214bf03db11631a5efb59951150d92c1517c2c11d8c6f0ddf5c8f76734fcf

Score

10^/10

trickbot rob52 banker trojan

Malware Config

Extracted

Family	trickbot
Version	2000028
Botnet	rob52
C2	89.250.208.42:449 182.253.184.130:449 31.211.85.110:443 85.112.74.178:449 102.68.17.97:443 103.76.150.14:443 96.9.77.142:443 91.185.236.170:449 87.76.1.81:449 91.225.231.120:443 62.213.14.166:443 81.95.45.234:449 148.216.32.55:443 109.185.139.90:449 202.166.211.197:443 196.41.57.46:449 84.21.206.164:449 190.122.168.219:443 77.95.93.132:449 41.77.134.250:443 87.116.151.237:449 185.205.250.162:443 103.9.188.23:449 78.138.187.231:443 138.185.72.142:443 173.81.4.147:443 31.134.124.90:443 200.90.11.177:449 5.59.205.32:443 89.250.208.42:449 182.253.184.130:449 31.211.85.110:443 85.112.74.178:449 102.68.17.97:443 103.76.150.14:443 96.9.77.142:443 91.185.236.170:449 87.76.1.81:449 91.225.231.120:443 62.213.14.166:443 81.95.45.234:449 148.216.32.55:443 109.185.139.90:449 202.166.211.197:443 196.41.57.46:449 84.21.206.164:449 190.122.168.219:443 77.95.93.132:449 41.77.134.250:443 87.116.151.237:449 185.205.250.162:443 103.9.188.23:449 78.138.187.231:443 138.185.72.142:443 173.81.4.147:443 31.134.124.90:443 200.90.11.177:449 5.59.205.32:443
Attributes	autorun Name:pwgrab
ecc_pubkey.base64

Targets

- Target
  
  click.php.dll
- Size
  
  439KB
- MD5
  
  cbea511bd35f247e4b4bf7cc5a3a7cbd
- SHA1
  
  8c0d352934271350cfe6c00b7587e8dc8d062817
- SHA256
  
  0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8
- SHA512
  
  aec894d9d3aaccccc029c615d283af4946c5150372db0ecdd616a9d491478759068214bf03db11631a5efb59951150d92c1517c2c11d8c6f0ddf5c8f76734fcf
Score

10^/10

trickbot rob52 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Templ.dll packer
  Detects Templ.dll packer which usually loads Trickbot.
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

trickbotrob52bankertrojan

behavioral2

trickbotrob52bankertrojan