trickbot | 632318e584d484189ad8ffda65050e359dbbb1be964662d1ef0940829362416b | Triage

Submit
Reports

Overview

overview

Static

static

bid,07.21.doc

windows7_x64

bid,07.21.doc

windows10_x64

Sharing

General

Target

bid,07.21.doc
Size

87KB
Sample

210715-bvbsqfwe3e
MD5

ad1dd19b623bea0cef2be03da63fabbb
SHA1

d312b79f8ba09a33e1c4da6338d4dc8636f77927
SHA256

632318e584d484189ad8ffda65050e359dbbb1be964662d1ef0940829362416b
SHA512

8404579def778bbafa20a54fda4b3c72a16d4557d361986b99d0b094418c47223198f25961088998b35fb202b81f348127f69ae63193336be05b9c13001ca5c4

Score

10^/10

trickbot zev1 banker spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

bid,07.21.doc

Resource

win7v20210410

trickbot zev1 banker spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

bid,07.21.doc

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

181.114.215.239:443

113.160.132.237:443

105.30.26.50:443

202.165.47.106:443

103.122.228.44:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  bid,07.21.doc
- Size
  
  87KB
- MD5
  
  ad1dd19b623bea0cef2be03da63fabbb
- SHA1
  
  d312b79f8ba09a33e1c4da6338d4dc8636f77927
- SHA256
  
  632318e584d484189ad8ffda65050e359dbbb1be964662d1ef0940829362416b
- SHA512
  
  8404579def778bbafa20a54fda4b3c72a16d4557d361986b99d0b094418c47223198f25961088998b35fb202b81f348127f69ae63193336be05b9c13001ca5c4
Score

10^/10

trickbot zev1 banker spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

trickbotzev1bankerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy