trickbot | df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3 | Triage

Submit
Reports

Overview

overview

Static

static

df8de65b3c...b3.exe

windows7_x64

df8de65b3c...b3.exe

windows10-2004_x64

Sharing

General

Target

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3
Size

516KB
Sample

220701-e49dpacbbr
MD5

e18c9d414140f2cde7ae1151489f65b6
SHA1

79ed070d71ab2bf5ef7a669a328624e4e5c898b5
SHA256

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3
SHA512

78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Score

10^/10

trickbot lib346 banker evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe

Resource

win7-20220414-en

trickbot lib346 banker evasion trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe

Resource

win10v2004-20220414-en

trickbot lib346 banker persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

1000293

Botnet

lib346

C2

51.68.170.58:443

68.3.14.71:443

174.105.235.178:449

195.54.162.247:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

5.189.224.254:443

71.94.101.25:443

206.130.141.255:449

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

75.102.135.23:449

24.119.69.70:449

85.143.223.51:443

103.110.91.118:449

68.4.173.10:443

72.189.124.41:449

103.111.53.126:449

105.27.171.234:449

182.253.20.66:449

199.182.59.42:449

71.193.151.218:443

46.149.182.112:449

82.146.56.24:443

199.227.126.250:449

24.113.161.184:449

197.232.50.85:443

94.232.20.113:443

190.145.74.84:449

47.49.168.50:443

73.67.78.5:449

67.49.38.139:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3
- Size
  
  516KB
- MD5
  
  e18c9d414140f2cde7ae1151489f65b6
- SHA1
  
  79ed070d71ab2bf5ef7a669a328624e4e5c898b5
- SHA256
  
  df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3
- SHA512
  
  78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2
Score

10^/10

trickbot lib346 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

trickbotlib346bankerevasiontrojan

behavioral2

trickbotlib346bankerpersistencetrojan

© 2018-2024

Terms | Privacy