General

  • Target

    20210610_id068aa.dll

  • Size

    460KB

  • Sample

    210610-vfygj4t1yn

  • MD5

    d79ab901b334ecfec1320778fdd507c5

  • SHA1

    1c273f4e329c5527625a75fcb9488522e9c555e0

  • SHA256

    87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4

  • SHA512

    7505d65c9b81752a13dc1df1e0226173deb5e7caf22fb1a3a3131770c5853667c1989a4f3acb8e5035575ee77fa342ee855e277f639a700e5210424908f6c267

Malware Config

Extracted

Family

trickbot

Version

100017

Botnet

mon311

C2

178.72.192.20:443

103.124.145.98:443

45.5.152.39:443

114.7.240.222:443

85.248.1.126:443

94.183.237.101:443

146.196.121.219:443

89.37.1.2:443

94.142.179.77:443

177.221.39.161:443

85.175.171.246:443

103.12.160.164:443

180.178.106.50:443

94.142.179.179:443

46.209.140.220:443

123.231.149.122:443

123.231.149.123:443

182.160.116.190:443

131.0.112.122:443

116.0.6.110:443

Attributes
autorun
Name:pwgrabb
Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      20210610_id068aa.dll

    • Size

      460KB

    • MD5

      d79ab901b334ecfec1320778fdd507c5

    • SHA1

      1c273f4e329c5527625a75fcb9488522e9c555e0

    • SHA256

      87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4

    • SHA512

      7505d65c9b81752a13dc1df1e0226173deb5e7caf22fb1a3a3131770c5853667c1989a4f3acb8e5035575ee77fa342ee855e277f639a700e5210424908f6c267

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation