trickbot | 0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300 | Triage

Submit
Reports

Overview

overview

Static

static

0b3dd23c25...00.exe

windows7_x64

0b3dd23c25...00.exe

windows10-2004_x64

Sharing

General

Target

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300
Size

546KB
Sample

220530-ecrdssghbn
MD5

9ed548302bc24b6c5a09e397af9d9b77
SHA1

01220ee53b97aabf87d73c276c28bc2ecd4ccb1c
SHA256

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300
SHA512

94b9a42ea4f4c88a1d1ebfa56a73c560122c09dc6b81a3ea3c1d01f44efeb727843bbebf75f64f79045e7ecbc7a38f4855308fcf7261da4b0e15c45315487ee8

Score

10^/10

trickbot lib374 banker evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe

Resource

win7-20220414-en

trickbot lib374 banker evasion trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe

Resource

win10v2004-20220414-en

trickbot lib374 banker persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

1000317

Botnet

lib374

C2

107.175.127.149:443

24.247.182.240:449

108.174.120.172:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

97.87.175.152:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.36.143:443

24.247.182.174:449

108.174.60.161:443

75.108.123.165:449

72.189.124.41:449

105.27.171.234:449

172.222.97.179:449

72.241.62.188:449

198.46.198.241:443

199.227.126.250:449

97.87.172.0:449

94.232.20.113:443

24.247.182.159:449

47.49.168.50:443

64.128.175.37:449

24.227.222.4:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300
- Size
  
  546KB
- MD5
  
  9ed548302bc24b6c5a09e397af9d9b77
- SHA1
  
  01220ee53b97aabf87d73c276c28bc2ecd4ccb1c
- SHA256
  
  0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300
- SHA512
  
  94b9a42ea4f4c88a1d1ebfa56a73c560122c09dc6b81a3ea3c1d01f44efeb727843bbebf75f64f79045e7ecbc7a38f4855308fcf7261da4b0e15c45315487ee8
Score

10^/10

trickbot lib374 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

trickbotlib374bankerevasiontrojan

behavioral2

trickbotlib374bankerpersistencetrojan

© 2018-2024

Terms | Privacy