trickbot

General

Target

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225
Size

304KB
Sample

220607-t39qdsgfbq
MD5

5919aabbf2a93c1f1c2f492a8dac755e
SHA1

02bdabad186f703bb73ad3f79d018996fdea9d71
SHA256

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225
SHA512

427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

1000201

Botnet

ser0529

C2

109.86.227.152:443

185.129.78.167:443

190.4.189.129:443

103.228.142.14:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

208.75.117.70:449

92.55.251.211:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

185.42.192.194:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

82.146.59.174:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225
- Size
  
  304KB
- MD5
  
  5919aabbf2a93c1f1c2f492a8dac755e
- SHA1
  
  02bdabad186f703bb73ad3f79d018996fdea9d71
- SHA256
  
  1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225
- SHA512
  
  427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a
Score

10^/10

trickbot ser0529 banker trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Trickbot x86 loader

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2