General

  • Target

    b4e0f00ac664d1c35e275a66f6e0096a8a6aa53d1a1a964719ed0474051a26fb

  • Size

    350KB

  • Sample

    220701-hmz1gaacg5

  • MD5

    9e01d628a290b3b50305c00507c07f57

  • SHA1

    9be9591dc62197e1eb58dd1381102d67fa7efb5e

  • SHA256

    b4e0f00ac664d1c35e275a66f6e0096a8a6aa53d1a1a964719ed0474051a26fb

  • SHA512

    3bf008e1f8f8c1702699a9009b6c6cdfb26c03bf8afed112ad13679b26d54ae797e51f7a9ba13f48e23d0aba2afefb41e4377401a3a99310bf16c124e44f0765

Malware Config

Extracted

Family

trickbot

Version

1000483

Botnet

jim611

C2

62.109.22.2:443

94.156.144.74:443

78.24.219.9:443

45.141.102.2:443

212.80.218.144:443

5.182.210.254:443

194.5.250.109:443

185.222.202.25:443

185.141.61.29:443

66.85.173.57:443

195.123.220.155:443

51.89.115.110:443

144.91.80.253:443

107.173.240.221:443

103.219.213.102:449

117.255.221.135:449

45.224.214.34:449

170.84.78.224:449

189.28.185.50:449

177.154.86.145:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      b4e0f00ac664d1c35e275a66f6e0096a8a6aa53d1a1a964719ed0474051a26fb

    • Size

      350KB

    • MD5

      9e01d628a290b3b50305c00507c07f57

    • SHA1

      9be9591dc62197e1eb58dd1381102d67fa7efb5e

    • SHA256

      b4e0f00ac664d1c35e275a66f6e0096a8a6aa53d1a1a964719ed0474051a26fb

    • SHA512

      3bf008e1f8f8c1702699a9009b6c6cdfb26c03bf8afed112ad13679b26d54ae797e51f7a9ba13f48e23d0aba2afefb41e4377401a3a99310bf16c124e44f0765

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks