Overview

overview

10

Static

static

6198d1cde7...db.exe

windows7-x64

10

6198d1cde7...db.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb

  • Size

    284KB

  • Sample

    220730-zgrwcafdb8

  • MD5

    483c84066f957662d3f3e490898ad996

  • SHA1

    0c44a5e469ce7da91477f743ce0f1b7e19885c7b

  • SHA256

    6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb

  • SHA512

    e74e48cce5285983693dd051218842717cab8822f8d09500a0f8b6a62ca0564f46d32bdb18fb70ef2a38b7c95c3d4202080919b109c0b28a3609d0e4d12f77b3

Score
10/10
trickbotpir5bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000201

Botnet

pir5

C2

109.86.227.152:443

185.129.78.167:443

190.4.189.129:443

103.228.142.14:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

208.75.117.70:449

92.55.251.211:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

185.42.192.194:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

82.146.59.174:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb

    • Size

      284KB

    • MD5

      483c84066f957662d3f3e490898ad996

    • SHA1

      0c44a5e469ce7da91477f743ce0f1b7e19885c7b

    • SHA256

      6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb

    • SHA512

      e74e48cce5285983693dd051218842717cab8822f8d09500a0f8b6a62ca0564f46d32bdb18fb70ef2a38b7c95c3d4202080919b109c0b28a3609d0e4d12f77b3

    Score
    10/10
    trickbotpir5bankertrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks