General

  • Target

    872b1aa30dd2bda76797fa9d88baece5e3ee5d8d66baaa874784b62abbd4aad1

  • Size

    496KB

  • Sample

    220701-dtnhssbfe7

  • MD5

    6a9c8a91106110707e8e155ce3364328

  • SHA1

    3a7542fe4109aef138b2adf9fa8086fac385b8e1

  • SHA256

    872b1aa30dd2bda76797fa9d88baece5e3ee5d8d66baaa874784b62abbd4aad1

  • SHA512

    eb077aa248cc263483ce1c7487396af2149e5ba06c34ee35f502aa9c4bf8a7f20d6bdea1a028276b5072c116be2b384198844aaa86e28f427898e7043a8bb8bf

Malware Config

Extracted

Family

trickbot

Version

1000500

Botnet

wmd41

C2

5.182.210.226:443

185.62.188.10:443

185.252.144.190:443

92.223.93.153:443

51.89.115.99:443

89.32.41.126:443

5.255.96.153:443

94.156.35.216:443

80.87.195.21:443

5.34.176.184:443

62.109.1.7:443

212.80.216.181:443

5.182.210.120:443

194.5.250.166:443

185.14.30.209:443

51.89.115.103:443

85.204.116.179:443

194.5.250.168:443

190.214.13.2:449

181.140.173.186:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      872b1aa30dd2bda76797fa9d88baece5e3ee5d8d66baaa874784b62abbd4aad1

    • Size

      496KB

    • MD5

      6a9c8a91106110707e8e155ce3364328

    • SHA1

      3a7542fe4109aef138b2adf9fa8086fac385b8e1

    • SHA256

      872b1aa30dd2bda76797fa9d88baece5e3ee5d8d66baaa874784b62abbd4aad1

    • SHA512

      eb077aa248cc263483ce1c7487396af2149e5ba06c34ee35f502aa9c4bf8a7f20d6bdea1a028276b5072c116be2b384198844aaa86e28f427898e7043a8bb8bf

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks