General

  • Target

    5a8282254fc150756f8fef3d823852b055be1e561d6bbcc9b55e71d1f5bb6b81

  • Size

    8.0MB

  • Sample

    220204-h16p6sfad6

  • MD5

    ff5a0025edee17d2f5f29966af06743e

  • SHA1

    dfae4d2798c805c41b6515958d1935956d2fec6a

  • SHA256

    5a8282254fc150756f8fef3d823852b055be1e561d6bbcc9b55e71d1f5bb6b81

  • SHA512

    eb2a742b0d697585e3d7d51c968c0064931949b5dcda368bcf3fa5e88664a511debb031327b1eaf70e80d2fddd396f90820f73f5add7562b5bc3a20b78039e0a

Malware Config

Extracted

Family

trickbot

Version

2000030

Botnet

rob88

C2

196.43.106.38:443

186.97.172.178:443

37.228.70.134:443

144.48.139.206:443

190.110.179.139:443

172.105.15.152:443

177.67.137.111:443

27.72.107.215:443

186.66.15.10:443

189.206.78.155:443

202.131.227.229:443

185.9.187.10:443

196.41.57.46:443

212.200.25.118:443

197.254.14.238:443

45.229.71.211:443

181.167.217.53:443

181.129.116.58:443

185.189.55.207:443

172.104.241.29:443

Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      83516-38-0421.doc.lnk

    • Size

      806B

    • MD5

      e2e45fc15aecb8462dd677ad1c57e14d

    • SHA1

      b8695b4ca5d2b21fb2aca5fe26a2b69c54cf7e78

    • SHA256

      e469dd1188b9b0ddc21e9d69e57ec38bd2f0bb1852943fa7926e81cd0ab15ca0

    • SHA512

      6d5cd26067ca25cbfc087244b4beb2288d49b6bb2116d0bc50993b6d95dd87a20f4c320296fb95fa8f0402c650dc4045111aed490de513744a00a0631a5c8097

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Executes dropped EXE

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v6

Tasks