Overview

overview

10

Static

static

48db6a8160...ca.dll

windows7_x64

10

48db6a8160...ca.dll

windows10_x64

10

Resubmissions

19-08-2021 15:26

210819-5deyx3b5t2 10

22-07-2021 16:05

210722-j48zwqknze 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48db6a8160708b9b1c29e2f480e8c5ca.dll

  • Size

    544KB

  • Sample

    210819-5deyx3b5t2

  • MD5

    48db6a8160708b9b1c29e2f480e8c5ca

  • SHA1

    bada0322219a1c14b5caec2c3d23fa3c7e1219c6

  • SHA256

    e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb

  • SHA512

    2519c43ec0ba2c05a1b769d06d4a961083f7bd60376fe4e3937eec6741192d050e347d4fd1761949d9948e13aa4743fc9af0b869d2235bce466e857a92b4a109

Score
10/10
trickbotrob109bankerspywarestealersuricatatrojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      48db6a8160708b9b1c29e2f480e8c5ca.dll

    • Size

      544KB

    • MD5

      48db6a8160708b9b1c29e2f480e8c5ca

    • SHA1

      bada0322219a1c14b5caec2c3d23fa3c7e1219c6

    • SHA256

      e07cef58aa29455209f32ef23249c9dbfc14dcb79b129dcef040f84aec0253fb

    • SHA512

      2519c43ec0ba2c05a1b769d06d4a961083f7bd60376fe4e3937eec6741192d050e347d4fd1761949d9948e13aa4743fc9af0b869d2235bce466e857a92b4a109

    Score
    10/10
    trickbotrob109bankerspywarestealersuricatatrojan

    • Contacts Bazar domain

      Uses Emercoin blockchain domains associated with Bazar backdoor/loader.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • suricata: ET MALWARE Trickbot Checkin Response

      suricata: ET MALWARE Trickbot Checkin Response

      suricata

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks