General

  • Target

    2baf66b83d6cd0b52e3dae66c42a0a3a3c279319c68b77e02141a2c355698409

  • Size

    388KB

  • Sample

    220204-yysnjaehd6

  • MD5

    3eddc2760b59562058025f42bc60fc32

  • SHA1

    bca09f230f9457d6ed5d5325854df1824d4375f7

  • SHA256

    2baf66b83d6cd0b52e3dae66c42a0a3a3c279319c68b77e02141a2c355698409

  • SHA512

    5d83ce9b8fbfc894a533542b66cecbb7343c3df44d656156fecce246b013cd55ca359238f67b8e3a364865b605b24d65169109f3afaf37bee14a5bc6152dc316

Malware Config

Extracted

Family

trickbot

Version

1000487

Botnet

mor56

C2

146.185.253.174:443

146.185.219.50:443

51.89.73.144:443

5.182.210.30:443

146.185.253.107:443

94.156.35.206:443

103.75.117.188:443

172.245.159.121:443

188.165.62.47:443

167.86.123.83:443

107.172.235.24:443

85.204.116.154:443

5.2.72.102:443

146.185.253.175:443

107.181.187.221:443

45.141.100.190:443

162.247.155.113:443

103.219.213.102:449

117.255.221.135:449

189.28.185.50:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      2baf66b83d6cd0b52e3dae66c42a0a3a3c279319c68b77e02141a2c355698409

    • Size

      388KB

    • MD5

      3eddc2760b59562058025f42bc60fc32

    • SHA1

      bca09f230f9457d6ed5d5325854df1824d4375f7

    • SHA256

      2baf66b83d6cd0b52e3dae66c42a0a3a3c279319c68b77e02141a2c355698409

    • SHA512

      5d83ce9b8fbfc894a533542b66cecbb7343c3df44d656156fecce246b013cd55ca359238f67b8e3a364865b605b24d65169109f3afaf37bee14a5bc6152dc316

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Sets service image path in registry

MITRE ATT&CK Enterprise v6

Tasks