trickbot | f855f3257ac852c2ffd3c4eb498886ffd7bc09ac4b13e04ea5ba31060bb41de9 | Triage

Submit
Reports

Overview

overview

Static

static

statistics...21.doc

windows7_x64

statistics...21.doc

windows10_x64

Sharing

General

Target

statistics 07.15.2021.doc
Size

87KB
Sample

210715-gq11k4s8vj
MD5

7e78634626b9b17002e8c7e40e9b7173
SHA1

d89aa1a92ae4806bbd720838ede237f58739938b
SHA256

f855f3257ac852c2ffd3c4eb498886ffd7bc09ac4b13e04ea5ba31060bb41de9
SHA512

2bdb4a9d15b9f21dda913ea4d74b087e5bf10e0903fb0eded209662d8bdc612d88d0e83071593755a37046857ce2f8e4380ebe2bbbca0526ba12555d5f97029a

Score

10^/10

trickbot zev1 banker spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

statistics 07.15.2021.doc

Resource

win7v20210410

trickbot zev1 banker spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

statistics 07.15.2021.doc

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

181.114.215.239:443

113.160.132.237:443

105.30.26.50:443

202.165.47.106:443

103.122.228.44:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  statistics 07.15.2021.doc
- Size
  
  87KB
- MD5
  
  7e78634626b9b17002e8c7e40e9b7173
- SHA1
  
  d89aa1a92ae4806bbd720838ede237f58739938b
- SHA256
  
  f855f3257ac852c2ffd3c4eb498886ffd7bc09ac4b13e04ea5ba31060bb41de9
- SHA512
  
  2bdb4a9d15b9f21dda913ea4d74b087e5bf10e0903fb0eded209662d8bdc612d88d0e83071593755a37046857ce2f8e4380ebe2bbbca0526ba12555d5f97029a
Score

10^/10

trickbot zev1 banker spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

trickbotzev1bankerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy