General

  • Target

    d9dc4bf3de105f4aa2b4f90b8893d9a0d1273cc81bf2be0e00b0700b15970f98.iso

  • Size

    1.8MB

  • Sample

    211021-jqbmqaaghn

  • MD5

    502bcaab33f214a4b7f616503e597789

  • SHA1

    ab881ba613850f128d2334707b39e1520d86dea7

  • SHA256

    d9dc4bf3de105f4aa2b4f90b8893d9a0d1273cc81bf2be0e00b0700b15970f98

  • SHA512

    656cf34491f564c012f87843d01a6185d609460ac23e4033aa9448d69e3a1573ca6af3f0e74dbd5b8145b1ae0d6bc3f751245edffa8782d3a896c454e13666a6

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

leg1

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      Documents.lnk

    • Size

      1KB

    • MD5

      0c87cf536140349af097d10fd388e8d8

    • SHA1

      a8e880685cf6cce8c3d254de7420649fa4e881b8

    • SHA256

      d43f97b1e8bc5537b0820c22abaab7fee4747767464cdfbef6758b678c998331

    • SHA512

      63589bfde2c1211553ddd64f4c77c6f3a06a2576edd25aad67936f77735d35152f025c029aeefb2427d12e1eaa565794774f49da131fee7f68829002373b1a2e

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2

      suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2

    • Deletes itself

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Documents.tmp

    • Size

      1.7MB

    • MD5

      133f935f9bc1c919af18db30f9db657d

    • SHA1

      afb6253e491e109ebe2445ab4935f37120420b5c

    • SHA256

      0648bdad8a597280f65f4db2448ba1524d6508841933156f4dfef9d1fe2e5075

    • SHA512

      5d0c5f6ca0b28253a3537c11cfc7f5a72e417c4b4607a148dfa770c307466e81058f56b7ad67cb32761442cda0d720ea23281b41b4979f545ceff5041327cd04

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks