General

  • Target

    c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455

  • Size

    548KB

  • Sample

    220701-dlvxxaheaq

  • MD5

    6ebc25957ccc919003cecfbd8972ecd2

  • SHA1

    fba699dab48c142f3f8cb8a50b6557213f745f69

  • SHA256

    c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455

  • SHA512

    44484124758a5923bcef6cec5e77baa28514dc31b06ea6a07ddd5e13395679686133cd610af75e0fa300a4ae3afd048f188cf2533b9b84818480b1db0c8a8854

Malware Config

Extracted

Family

trickbot

Version

1000317

Botnet

jim375

C2

107.175.127.149:443

24.247.182.240:449

108.174.120.172:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

97.87.175.152:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.36.143:443

24.247.182.174:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455

    • Size

      548KB

    • MD5

      6ebc25957ccc919003cecfbd8972ecd2

    • SHA1

      fba699dab48c142f3f8cb8a50b6557213f745f69

    • SHA256

      c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455

    • SHA512

      44484124758a5923bcef6cec5e77baa28514dc31b06ea6a07ddd5e13395679686133cd610af75e0fa300a4ae3afd048f188cf2533b9b84818480b1db0c8a8854

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Stops running service(s)

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Impact

Service Stop

1
T1489

Tasks