trickbot

General

Target

7f456f8b01fc8866aeed4678a14479b6eaa62fed
Size

566KB
Sample

230201-fwnmpaca37
MD5

f12de9a9858b332eb530c1f5cdc069aa
SHA1

7f456f8b01fc8866aeed4678a14479b6eaa62fed
SHA256

70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72
SHA512

6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca
SSDEEP

6144:vDbbqDfFxoi9qL0W4Rl/EagUzdxcXxcEMcCYjYdjVOQnbok9P4atXkisULOWn20n:veDfYatZlthsWEsVV5lUisULO/ZxxG

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

1000235

Botnet

ser0724

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

198.53.63.120:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

24.231.0.139:443

84.237.228.13:443

138.34.32.19:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  7f456f8b01fc8866aeed4678a14479b6eaa62fed
- Size
  
  566KB
- MD5
  
  f12de9a9858b332eb530c1f5cdc069aa
- SHA1
  
  7f456f8b01fc8866aeed4678a14479b6eaa62fed
- SHA256
  
  70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72
- SHA512
  
  6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca
- SSDEEP
  
  6144:vDbbqDfFxoi9qL0W4Rl/EagUzdxcXxcEMcCYjYdjVOQnbok9P4atXkisULOWn20n:veDfYatZlthsWEsVV5lUisULO/ZxxG
Score

10^/10

trickbot banker trojan ser0724 persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Trickbot x86 loader

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2