trickbot | 3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa | Triage

Submit
Reports

Overview

overview

Static

static

3c5b08764e...fa.exe

windows7_x64

3c5b08764e...fa.exe

windows10-2004_x64

Sharing

General

Target

3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
Size

428KB
Sample

220703-jltyhadad3
MD5

54bc795028a9a3f1467d8ba8a3f1f5a2
SHA1

e5f7ba4baeb7bd0beef022c7535c071ab2c7d89d
SHA256

3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
SHA512

35b27257fc7a86aafbf5ee143e0b69562117de2491740a8a02282f2b698caeb8272b061da1310b8a1be1f0a7955c8616ff93cf78aadf61ceba46adc4487a5edf

Score

10^/10

trickbot ser0629 banker evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa.exe

Resource

win7-20220414-en

trickbot ser0629 banker evasion trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa.exe

Resource

win10v2004-20220414-en

trickbot ser0629 banker persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

trickbot

Version

1000219

Botnet

ser0629

C2

138.34.32.218:443

86.61.177.139:443

47.40.90.210:443

93.109.242.134:443

45.36.155.244:443

158.58.131.54:443

46.59.89.119:449

66.229.97.133:443

45.56.2.247:443

109.86.227.152:443

209.131.236.23:443

200.2.126.98:443

62.31.150.202:443

90.69.224.122:443

194.68.23.182:443

182.253.210.130:449

67.159.157.150:443

172.117.118.98:443

201.174.70.238:443

138.34.32.74:443

73.107.42.28:443

187.163.215.32:443

199.250.230.169:443

195.161.114.240:443

185.231.154.104:443

81.177.140.37:443

185.159.130.87:443

185.146.156.237:443

195.54.163.139:443

95.213.203.174:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
- Size
  
  428KB
- MD5
  
  54bc795028a9a3f1467d8ba8a3f1f5a2
- SHA1
  
  e5f7ba4baeb7bd0beef022c7535c071ab2c7d89d
- SHA256
  
  3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
- SHA512
  
  35b27257fc7a86aafbf5ee143e0b69562117de2491740a8a02282f2b698caeb8272b061da1310b8a1be1f0a7955c8616ff93cf78aadf61ceba46adc4487a5edf
Score

10^/10

trickbot ser0629 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

trickbotser0629bankerevasiontrojan

behavioral2

trickbotser0629bankerpersistencetrojan

© 2018-2024

Terms | Privacy