Overview

overview

10

Static

static

10

unpacked.exe

windows7_x64

10

unpacked.exe

windows10_x64

10

Resubmissions

19-08-2021 14:25

210819-ge1e8226dj 10

19-08-2021 14:18

210819-8l1xltkafs 10

05-08-2021 06:19

210805-17j1n24dtn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    unpacked.exe

  • Size

    132KB

  • Sample

    210819-ge1e8226dj

  • MD5

    14e049a9f6cf9749165621c26365931b

  • SHA1

    7644a353908969fa261f656c79c6050ef8b76eb3

  • SHA256

    25939f03c43151ec5474f746fc71510fb6abe8b5e41da44fef74b6bc806e26b4

  • SHA512

    ca3281218db70b68b4ba1caaa01311cad7dbe0a29abb4d2c8e5a22477740531b343f17c0bf15dfdd8285c044baf42fca3da29f9b05a18fa958b9e8eb12cda5fb

Score
10/10
trickbotrob113spywarestealersuricata

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob113

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      unpacked.exe

    • Size

      132KB

    • MD5

      14e049a9f6cf9749165621c26365931b

    • SHA1

      7644a353908969fa261f656c79c6050ef8b76eb3

    • SHA256

      25939f03c43151ec5474f746fc71510fb6abe8b5e41da44fef74b6bc806e26b4

    • SHA512

      ca3281218db70b68b4ba1caaa01311cad7dbe0a29abb4d2c8e5a22477740531b343f17c0bf15dfdd8285c044baf42fca3da29f9b05a18fa958b9e8eb12cda5fb

    Score
    10/10
    spywarestealersuricata

    • Contacts Bazar domain

      Uses Emercoin blockchain domains associated with Bazar backdoor/loader.

    • suricata: ET MALWARE Trickbot Checkin Response

      suricata: ET MALWARE Trickbot Checkin Response

      suricata

    • suricata: ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized

      suricata: ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized

      suricata

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks