trickbot | 5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149 | Triage

Submit
Reports

Overview

overview

Static

static

5a638b0b0a...49.exe

windows7-x64

5a638b0b0a...49.exe

windows10-2004-x64

Sharing

General

Target

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149
Size

508KB
Sample

220802-d9vbaaaffr
MD5

016141489862022439b63abc649186e6
SHA1

cb7d8c2bee9d9271835c77b90b4be02680c5889f
SHA256

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149
SHA512

0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

Score

10^/10

trickbot tot372 banker evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe

Resource

win7-20220715-en

trickbot tot372 banker evasion trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe

Resource

win10v2004-20220721-en

trickbot tot372 banker persistence trojan

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

trickbot

Version

1000316

Botnet

tot372

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443

75.108.123.165:449

72.189.124.41:449

105.27.171.234:449

172.222.97.179:449

72.241.62.188:449

198.46.198.241:443

199.227.126.250:449

97.87.172.0:449

94.232.20.113:443

24.247.182.159:449

47.49.168.50:443

64.128.175.37:449

24.227.222.4:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149
- Size
  
  508KB
- MD5
  
  016141489862022439b63abc649186e6
- SHA1
  
  cb7d8c2bee9d9271835c77b90b4be02680c5889f
- SHA256
  
  5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149
- SHA512
  
  0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83
Score

10^/10

trickbot tot372 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot372bankerevasiontrojan

behavioral2

trickbottot372bankerpersistencetrojan

© 2018-2024

Terms | Privacy