Overview

overview

10

Static

static

d78b148f08...e0.exe

windows7_x64

10

d78b148f08...e0.exe

windows10_x64

10

Resubmissions

19-08-2021 15:26

210819-q3bbzmkk2a 10

19-08-2021 15:25

210819-9fmv2d7nee 10

22-07-2021 16:09

210722-emxft71ta2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d78b148f08b3a869fbc8fe66fa91ade0.exe

  • Size

    454KB

  • Sample

    210819-q3bbzmkk2a

  • MD5

    d78b148f08b3a869fbc8fe66fa91ade0

  • SHA1

    3e5a8cf2c8bbf21c3f4edcc8720fa1db51234bac

  • SHA256

    9e2c9fa5f0c1bd5348d3a6996ab5855104ac9580defad7789f4296ce9d5305a0

  • SHA512

    72e3a33288f9145aba4b47f1bcfc9b732d213f80d2ad64c994ecd8abb6438a57057f5de9523bf6bd3b5f50b64b33b502b81326faa9ed78c2b06f7b7c48adf830

Score
10/10
trickbotrob110bankerspywarestealersuricatatrojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob110

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      d78b148f08b3a869fbc8fe66fa91ade0.exe

    • Size

      454KB

    • MD5

      d78b148f08b3a869fbc8fe66fa91ade0

    • SHA1

      3e5a8cf2c8bbf21c3f4edcc8720fa1db51234bac

    • SHA256

      9e2c9fa5f0c1bd5348d3a6996ab5855104ac9580defad7789f4296ce9d5305a0

    • SHA512

      72e3a33288f9145aba4b47f1bcfc9b732d213f80d2ad64c994ecd8abb6438a57057f5de9523bf6bd3b5f50b64b33b502b81326faa9ed78c2b06f7b7c48adf830

    Score
    10/10
    trickbotrob110bankerspywarestealersuricatatrojan

    • Contacts Bazar domain

      Uses Emercoin blockchain domains associated with Bazar backdoor/loader.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • suricata: ET MALWARE Trickbot Checkin Response

      suricata: ET MALWARE Trickbot Checkin Response

      suricata

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks