Overview

overview

10

Static

static

1f5033d76b...41.dll

windows7_x64

10

1f5033d76b...41.dll

windows10_x64

10

Resubmissions

19-08-2021 14:42

210819-glacb4nldj 10

20-06-2021 06:40

210620-my3xhkwtcx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1f5033d76b72ff259bf0d7ab33725141.dll

  • Size

    700KB

  • Sample

    210819-glacb4nldj

  • MD5

    1f5033d76b72ff259bf0d7ab33725141

  • SHA1

    a827a2e9e2072ae57420a22f469e7053de62ea97

  • SHA256

    083424f93427a47fe75c914dcf71091226bd598a0ce512dccd01cb0b5d48c918

  • SHA512

    b771c7230a9757703cf6c13714ab4a34e1135028df520fbba43e7d19d731c6b257d00e4791f44191390392d1e39ef5b3d897a1225ff95fa1e16c2253ade92fca

Score
10/10
trickbotmon311bankersuricatatrojan

Malware Config

Extracted

Family

trickbot

Version

100017

Botnet

mon311

C2

178.72.192.20:443

103.124.145.98:443

45.5.152.39:443

114.7.240.222:443

85.248.1.126:443

94.183.237.101:443

146.196.121.219:443

89.37.1.2:443

94.142.179.77:443

177.221.39.161:443

85.175.171.246:443

103.12.160.164:443

180.178.106.50:443

94.142.179.179:443

46.209.140.220:443

123.231.149.122:443

123.231.149.123:443

182.160.116.190:443

131.0.112.122:443

116.0.6.110:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      1f5033d76b72ff259bf0d7ab33725141.dll

    • Size

      700KB

    • MD5

      1f5033d76b72ff259bf0d7ab33725141

    • SHA1

      a827a2e9e2072ae57420a22f469e7053de62ea97

    • SHA256

      083424f93427a47fe75c914dcf71091226bd598a0ce512dccd01cb0b5d48c918

    • SHA512

      b771c7230a9757703cf6c13714ab4a34e1135028df520fbba43e7d19d731c6b257d00e4791f44191390392d1e39ef5b3d897a1225ff95fa1e16c2253ade92fca

    Score
    10/10
    trickbotmon311bankersuricatatrojan

    • Contacts Bazar domain

      Uses Emercoin blockchain domains associated with Bazar backdoor/loader.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • suricata: ET MALWARE Trickbot Checkin Response

      suricata: ET MALWARE Trickbot Checkin Response

      suricata

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks