trickbot

General

Target

172c407ffc85db182ee5fa22a609f316506ff9783b604914c0e1cefcfc0e2efd
Size

376KB
Sample

231114-xy2qrsgd9v
MD5

3f21654dcb2feefc61a27d3abec33568
SHA1

f6f44cefee7e15d55f754ea568f9b00b3f88f0ef
SHA256

172c407ffc85db182ee5fa22a609f316506ff9783b604914c0e1cefcfc0e2efd
SHA512

322eb13aa1a551322e8406d34430a522c44a86dc5fd191572756bfc8cb6233f8fd4d1b5c3c3c7c27523ecbacd2284cedb7e4601cf65c7ec5245652645f3530f1
SSDEEP

6144:yCISL+Svs95brBcgFDrSQw0yr8FW7UCcyCIoT14yXVJFuvYZEOg2qfKku:mS1k95PLDu/f8FW7UbGoP0Y7gbf9u

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

1000131

Botnet

tt0002

C2

212.14.51.43:449

212.14.51.56:449

206.255.220.53:449

181.175.124.212:449

82.202.246.160:443

82.202.236.61:443

82.202.212.31:443

212.92.98.95:443

92.53.77.167:443

83.220.170.11:443

212.109.221.108:443

83.220.170.3:443

80.87.197.221:443

83.220.170.83:443

185.224.215.224:443

83.220.170.165:443

195.133.147.153:443

92.53.67.155:443

194.87.92.162:443

95.213.194.111:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  172c407ffc85db182ee5fa22a609f316506ff9783b604914c0e1cefcfc0e2efd
- Size
  
  376KB
- MD5
  
  3f21654dcb2feefc61a27d3abec33568
- SHA1
  
  f6f44cefee7e15d55f754ea568f9b00b3f88f0ef
- SHA256
  
  172c407ffc85db182ee5fa22a609f316506ff9783b604914c0e1cefcfc0e2efd
- SHA512
  
  322eb13aa1a551322e8406d34430a522c44a86dc5fd191572756bfc8cb6233f8fd4d1b5c3c3c7c27523ecbacd2284cedb7e4601cf65c7ec5245652645f3530f1
- SSDEEP
  
  6144:yCISL+Svs95brBcgFDrSQw0yr8FW7UCcyCIoT14yXVJFuvYZEOg2qfKku:mS1k95PLDu/f8FW7UbGoP0Y7gbf9u
Score

10^/10

trickbot tt0002 banker evasion trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2