General

  • Target

    8bf06a4c2ef57383efdc8fe9b9860c8ede70c63f158b1f58ea9f1fb564710f50

  • Size

    352KB

  • Sample

    220731-frg94sheb8

  • MD5

    99246603209088dc1a80d4c9cd30f2db

  • SHA1

    d1a7f86f975b6d80f7663397c8558d04f0e663cd

  • SHA256

    8bf06a4c2ef57383efdc8fe9b9860c8ede70c63f158b1f58ea9f1fb564710f50

  • SHA512

    78b2e96f5abd4eb110183a7a11fd7f4e686d54a82cad62e4e4d5aca7ff0626ed97d242481942ef27c0b8bce9a336450c3821ff01f814bad7e155d3f89a92b706

Malware Config

Extracted

Family

trickbot

Version

1000192

Botnet

lib222

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:449

109.95.114.28:449

118.91.178.106:449

173.220.6.194:449

179.107.89.145:449

46.20.207.204:449

91.206.4.216:449

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:449

68.227.31.46:449

107.144.49.162:449

46.72.175.17:449

144.48.51.8:449

46.243.179.212:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      8bf06a4c2ef57383efdc8fe9b9860c8ede70c63f158b1f58ea9f1fb564710f50

    • Size

      352KB

    • MD5

      99246603209088dc1a80d4c9cd30f2db

    • SHA1

      d1a7f86f975b6d80f7663397c8558d04f0e663cd

    • SHA256

      8bf06a4c2ef57383efdc8fe9b9860c8ede70c63f158b1f58ea9f1fb564710f50

    • SHA512

      78b2e96f5abd4eb110183a7a11fd7f4e686d54a82cad62e4e4d5aca7ff0626ed97d242481942ef27c0b8bce9a336450c3821ff01f814bad7e155d3f89a92b706

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks