trickbot | 5c8e117e71bf3e49dafa70f0d63b3ab0b3f4565d65bd131c52c32a1bc25899c5 | Triage

Sharing

General

Target

5c8e117e71bf3e49dafa70f0d63b3ab0b3f4565d65bd131c52c32a1bc25899c5
Size

460KB
Sample

220801-gsdtradhhn
MD5

111ed5614d666990dc7714ea135bf33e
SHA1

7dfcac8063524ee8e09c373ec2a886967bb9fdd1
SHA256

5c8e117e71bf3e49dafa70f0d63b3ab0b3f4565d65bd131c52c32a1bc25899c5
SHA512

3ce8bd56d7e375fbc11543a7e896b265607e06b67c7ee000cda85abade9ee6feff6ac098f22ab5908a7784c4b10def7b927a0782f56141b7c938b9e75d5ffbc7

Score

10^/10

trickbot tot347 banker evasion persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000294

Botnet

tot347

C2

51.68.170.58:443

68.3.14.71:443

174.105.235.178:449

91.235.128.69:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

206.130.141.255:449

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

75.102.135.23:449

24.119.69.70:449

195.123.212.139:443

103.110.91.118:449

68.4.173.10:443

72.189.124.41:449

105.27.171.234:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  5c8e117e71bf3e49dafa70f0d63b3ab0b3f4565d65bd131c52c32a1bc25899c5
- Size
  
  460KB
- MD5
  
  111ed5614d666990dc7714ea135bf33e
- SHA1
  
  7dfcac8063524ee8e09c373ec2a886967bb9fdd1
- SHA256
  
  5c8e117e71bf3e49dafa70f0d63b3ab0b3f4565d65bd131c52c32a1bc25899c5
- SHA512
  
  3ce8bd56d7e375fbc11543a7e896b265607e06b67c7ee000cda85abade9ee6feff6ac098f22ab5908a7784c4b10def7b927a0782f56141b7c938b9e75d5ffbc7
Score

10^/10

trickbot tot347 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot347bankerevasiontrojan

behavioral2

trickbottot347bankerpersistencetrojan