Overview

overview

10

Static

static

qca.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    qca.exe

  • Size

    383KB

  • Sample

    220822-13s6zagfe3

  • MD5

    b065af93b5fd551526705b5968d0ca10

  • SHA1

    e807ff55829a205941096b8edfcda6a0cdc3ccc1

  • SHA256

    28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

  • SHA512

    dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4

  • SSDEEP

    6144:Lp0ZFUrIyx1JSIT4k2z0qJ1yFMj/76wI2dfWG072/PeyXT6DI1h3H+lusL:L+ZFUrrBj4kFFMjjGq57Pe2TaI1h3OtL

Score
10/10
trickbotlib322bankerevasiontrojan

Malware Config

Extracted

Family

trickbot

Version

1000271

Botnet

lib322

C2

195.54.163.210:443

94.181.47.198:449

81.21.121.138:449

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

185.251.38.135:443

170.81.32.66:449

42.115.91.177:443

107.173.102.231:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      qca.exe

    • Size

      383KB

    • MD5

      b065af93b5fd551526705b5968d0ca10

    • SHA1

      e807ff55829a205941096b8edfcda6a0cdc3ccc1

    • SHA256

      28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

    • SHA512

      dcff979209cfe0d309a9ddbf1c99de41102cc86f8541160ad6e185d3ae23b5fd7c97c4c36fd7df95ef3aa73b4846b5811fdb96ee671d0a2220d8f75c009aebb4

    • SSDEEP

      6144:Lp0ZFUrIyx1JSIT4k2z0qJ1yFMj/76wI2dfWG072/PeyXT6DI1h3H+lusL:L+ZFUrrBj4kFFMjjGq57Pe2TaI1h3OtL

    Score
    10/10
    trickbotlib322bankerevasiontrojan

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks