General

  • Target

    97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

  • Size

    448KB

  • Sample

    220731-fwgt5sahfl

  • MD5

    821b90f4f3a4d56cf89660ed6dc17761

  • SHA1

    5d165df8a4a314f6a805715c142724372cc0e1b2

  • SHA256

    97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

  • SHA512

    09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Malware Config

Extracted

Family

trickbot

Version

1000253

Botnet

lib302

C2

195.54.163.150:443

168.167.51.10:443

178.116.83.49:443

176.114.66.20:449

162.212.112.175:449

158.58.131.54:443

104.254.10.200:449

118.200.151.113:443

41.211.9.234:449

81.227.16.44:443

109.173.104.236:449

212.225.214.249:449

81.17.86.112:443

41.189.173.18:443

46.149.182.112:449

197.232.243.36:449

94.232.20.113:443

47.49.168.50:443

70.79.178.120:449

68.109.83.22:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

    • Size

      448KB

    • MD5

      821b90f4f3a4d56cf89660ed6dc17761

    • SHA1

      5d165df8a4a314f6a805715c142724372cc0e1b2

    • SHA256

      97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

    • SHA512

      09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Stops running service(s)

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Impact

Service Stop

1
T1489

Tasks