trickbot | 25078d9e4b0f4b5aedc10cb63e943089c57154da08b1e8684c9b3eef54774b70 | Triage

Submit
Reports

Overview

overview

Static

static

question_0...21.doc

windows7_x64

1

question_0...21.doc

windows10_x64

Sharing

General

Target

question_07.08.2021.doc
Size

55KB
Sample

210708-y5qb977lfa
MD5

e5e32451730716ed5b0bf3f4d797a262
SHA1

17f6668019bc20bfab048d6167ee0efb75db2984
SHA256

25078d9e4b0f4b5aedc10cb63e943089c57154da08b1e8684c9b3eef54774b70
SHA512

11c42bbd3153312a489a63e1dd53fcd0f67430976dda7fc64ce69c161fae680911475e379bbbb444b44d591ddb8f82e66f5dd7cb8fa7a03b07cda3f161cccf4b

Score

10^/10

trickbot zev1 banker spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

question_07.08.2021.doc

Resource

win7v20210410

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

question_07.08.2021.doc

Resource

win10v20210408

trickbot zev1 banker spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

181.114.215.239:443

113.160.132.237:443

105.30.26.50:443

202.165.47.106:443

103.122.228.44:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  question_07.08.2021.doc
- Size
  
  55KB
- MD5
  
  e5e32451730716ed5b0bf3f4d797a262
- SHA1
  
  17f6668019bc20bfab048d6167ee0efb75db2984
- SHA256
  
  25078d9e4b0f4b5aedc10cb63e943089c57154da08b1e8684c9b3eef54774b70
- SHA512
  
  11c42bbd3153312a489a63e1dd53fcd0f67430976dda7fc64ce69c161fae680911475e379bbbb444b44d591ddb8f82e66f5dd7cb8fa7a03b07cda3f161cccf4b
Score

10^/10

trickbot zev1 banker spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

trickbotzev1bankerspywarestealertrojan

© 2018-2024

Terms | Privacy