Resubmissions

28-12-2022 22:24

221228-2bvfdsbg78 10

19-12-2022 21:10

221219-z1afeabc4y 10

General

  • Target

    1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f.zip

  • Size

    258KB

  • Sample

    221219-z1afeabc4y

  • MD5

    a4b3000c36c3799244fa6156ad67f05b

  • SHA1

    a2f1250857c17cc4244f8a211b199a77cd21c2b0

  • SHA256

    bc387de543591660fa5cfb3f69e0c7d704b8be15b6ab631d2108477f1ea46424

  • SHA512

    b3b25fe2f9bb09cfb67ae9935c32be7fc4c99b492a11e70b037ae9f38a4ac70d5532383eeae5e867ad33a3a7f1f07856654941c420da4f18b12374ccdfbbe191

  • SSDEEP

    6144:gW7oncFkSGMagwEXnX6ni5oqjrgF1SPi8okHOgQo8KRWnAa/a5:glykSugF3qnqoqgyPixkDInh+

Malware Config

Extracted

Family

trickbot

Version

1000229

Botnet

sat17

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

162.247.37.252:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      zmoperes.ri.bin

    • Size

      313KB

    • MD5

      104b457b6d90fc80ff2dbbcebbb7ca8b

    • SHA1

      7842611837af04d7c986de21ab2454ed397014de

    • SHA256

      1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f

    • SHA512

      504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0

    • SSDEEP

      6144:cqzfvclHbmBwuKj6BkT4GvEH5sLLJ6vd4p:cqzHWHbmQGBkT46689I

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks