Overview

overview

10

Static

static

333f975099...60.exe

windows7_x64

10

333f975099...60.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

  • Size

    355KB

  • Sample

    220620-dpg58acefp

  • MD5

    071b4497f6f663133e9d2c5b9fc15c6d

  • SHA1

    3334452e9da9f49d07058395bede8b06bc69ba0e

  • SHA256

    333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

  • SHA512

    6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

Score
10/10
trickbotsat4bankerevasionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000310

Botnet

sat4

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

213.183.63.16:443

74.132.133.246:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

    • Size

      355KB

    • MD5

      071b4497f6f663133e9d2c5b9fc15c6d

    • SHA1

      3334452e9da9f49d07058395bede8b06bc69ba0e

    • SHA256

      333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

    • SHA512

      6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

    Score
    10/10
    trickbotsat4bankerevasiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks