trickbot

General

Target

mwconvertLinkGlobalng.trd.dll
Size

647KB
Sample

210819-dfdc4mzxqa
MD5

81441b435cd16c6f118cafda5b70caf3
SHA1

42f895bad095a6649558de805e3b7225d0975f3e
SHA256

684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
SHA512

fef004904a68ae5f0e9836563df904e1080489aaea1ab89b47eac26c8c2b57907fb68e5818bace26efd221a06ba52ce03621bcaadb521bd7d04a1f44c297fb1b

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

C2

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Extracted

Family

trickbot

Version

2000032

Botnet

tot141

C2

103.122.228.44:443

196.216.220.211:443

181.114.215.239:443

41.57.156.203:443

43.252.159.63:443

197.156.129.250:443

113.160.37.196:443

38.110.100.64:443

113.160.132.237:443

24.28.12.23:443

38.110.100.219:443

45.239.233.109:443

119.202.8.249:443

200.236.218.62:443

220.82.64.198:443

190.93.208.53:443

196.216.59.174:443

222.124.16.74:443

202.165.47.106:443

96.9.77.56:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Targets

- Target
  
  mwconvertLinkGlobalng.trd.dll
- Size
  
  647KB
- MD5
  
  81441b435cd16c6f118cafda5b70caf3
- SHA1
  
  42f895bad095a6649558de805e3b7225d0975f3e
- SHA256
  
  684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
- SHA512
  
  fef004904a68ae5f0e9836563df904e1080489aaea1ab89b47eac26c8c2b57907fb68e5818bace26efd221a06ba52ce03621bcaadb521bd7d04a1f44c297fb1b
Score

10^/10

trickbot tot141 zev1 banker persistence spyware stealer suricata trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- suricata: ET MALWARE Trickbot Checkin Response
  suricata: ET MALWARE Trickbot Checkin Response
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2