trickbot | bc387de543591660fa5cfb3f69e0c7d704b8be15b6ab631d2108477f1ea46424 | Triage

Resubmissions

28-12-2022 22:24

221228-2bvfdsbg78 10

19-12-2022 21:10

221219-z1afeabc4y 10

Sharing

General

Target

1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f.zip
Size

258KB
Sample

221228-2bvfdsbg78
MD5

a4b3000c36c3799244fa6156ad67f05b
SHA1

a2f1250857c17cc4244f8a211b199a77cd21c2b0
SHA256

bc387de543591660fa5cfb3f69e0c7d704b8be15b6ab631d2108477f1ea46424
SHA512

b3b25fe2f9bb09cfb67ae9935c32be7fc4c99b492a11e70b037ae9f38a4ac70d5532383eeae5e867ad33a3a7f1f07856654941c420da4f18b12374ccdfbbe191
SSDEEP

6144:gW7oncFkSGMagwEXnX6ni5oqjrgF1SPi8okHOgQo8KRWnAa/a5:glykSugF3qnqoqgyPixkDInh+

Score

10^/10

trickbot sat17 banker evasion persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000229

Botnet

sat17

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

162.247.37.252:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  zmoperes.ri.bin
- Size
  
  313KB
- MD5
  
  104b457b6d90fc80ff2dbbcebbb7ca8b
- SHA1
  
  7842611837af04d7c986de21ab2454ed397014de
- SHA256
  
  1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f
- SHA512
  
  504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0
- SSDEEP
  
  6144:cqzfvclHbmBwuKj6BkT4GvEH5sLLJ6vd4p:cqzHWHbmQGBkT46689I
Score

10^/10

trickbot banker evasion persistence trojan sat17
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Stops running service(s)
  evasion
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotbankerevasionpersistencetrojan

behavioral2

trickbotbankertrojan

behavioral3

trickbotsat17bankerpersistencetrojan