trickbot | 274cb0eb63377f2710724bba6daa6cd742d7ac1560063faa87e23f6de9d873d3 | Triage

Submit
Reports

Overview

overview

Static

static

legal pape..._9.doc

windows7_x64

legal pape..._9.doc

windows10_x64

Sharing

General

Target

legal paper_07.21_9.doc
Size

86KB
Sample

210715-cwevdnxnhj
MD5

137b44ecb48980e4ba15123c9f15f83c
SHA1

0b2f64e31c2194ff68a0b93f933c0d25e0c6a117
SHA256

274cb0eb63377f2710724bba6daa6cd742d7ac1560063faa87e23f6de9d873d3
SHA512

9e9c6d9d62429d91d60b78ae2063119437e0b3b14cb0aa8696ff252813e8595f6e631299231c9d613802821a621036ebf92e7afd546f245ef4fa68fab8b56879

Score

10^/10

trickbot zev1 banker spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

legal paper_07.21_9.doc

Resource

win7v20210410

trickbot zev1 banker spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

legal paper_07.21_9.doc

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

181.114.215.239:443

113.160.132.237:443

105.30.26.50:443

202.165.47.106:443

103.122.228.44:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  legal paper_07.21_9.doc
- Size
  
  86KB
- MD5
  
  137b44ecb48980e4ba15123c9f15f83c
- SHA1
  
  0b2f64e31c2194ff68a0b93f933c0d25e0c6a117
- SHA256
  
  274cb0eb63377f2710724bba6daa6cd742d7ac1560063faa87e23f6de9d873d3
- SHA512
  
  9e9c6d9d62429d91d60b78ae2063119437e0b3b14cb0aa8696ff252813e8595f6e631299231c9d613802821a621036ebf92e7afd546f245ef4fa68fab8b56879
Score

10^/10

trickbot zev1 banker spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

trickbotzev1bankerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy