Overview

overview

10

Static

static

225d41fc5d...d6.exe

windows7-x64

10

225d41fc5d...d6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6

  • Size

    299KB

  • Sample

    221130-xkfalshh5v

  • MD5

    b1f04b467115b366a8d8b76fd4da6cc7

  • SHA1

    860f3a96d57984d0112521e9eb31e30ed2498033

  • SHA256

    225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6

  • SHA512

    80f3ddefaf0627e12cf7569afb83789384788e9cd65aea4a7eb8f3f030469fd067e4e4c029512857ee28c2011e8076d1d97ac676524c79bf987dc337f088d5ae

  • SSDEEP

    6144:eAiBe5v1c1TGVMftOGoBButUAG7l7eNwVIeCi0a5bZq/4kCBuc:xig5y9i2OrIUAG7l7eNwVI6vKAkCB

Score
10/10
trickbottot314bankerevasionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000263

Botnet

tot314

C2

118.97.119.218:449

94.181.47.198:449

144.121.143.129:449

185.200.60.138:449

185.42.52.126:449

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

82.222.40.119:449

97.78.222.18:449

67.79.15.106:449

168.167.87.79:443

103.111.53.126:449

182.253.20.66:449

192.188.120.164:443

81.17.86.112:443

95.154.80.154:449

46.149.182.112:449

69.9.232.167:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6

    • Size

      299KB

    • MD5

      b1f04b467115b366a8d8b76fd4da6cc7

    • SHA1

      860f3a96d57984d0112521e9eb31e30ed2498033

    • SHA256

      225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6

    • SHA512

      80f3ddefaf0627e12cf7569afb83789384788e9cd65aea4a7eb8f3f030469fd067e4e4c029512857ee28c2011e8076d1d97ac676524c79bf987dc337f088d5ae

    • SSDEEP

      6144:eAiBe5v1c1TGVMftOGoBButUAG7l7eNwVIeCi0a5bZq/4kCBuc:xig5y9i2OrIUAG7l7eNwVI6vKAkCB

    Score
    10/10
    trickbottot314bankerevasiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks