General

  • Target

    8b874c3100add07aaafd5ffbae6af5e6

  • Size

    432KB

  • Sample

    240203-gakjkscffk

  • MD5

    8b874c3100add07aaafd5ffbae6af5e6

  • SHA1

    ccd9d9a0c2d5e79a01ccb70a71595eb87674ce8b

  • SHA256

    65c48bb0a15c08365401769c1a36810bbc3ae81cad63457dd9b7c1056fc6cd4c

  • SHA512

    bba3f843a8859270e970453ebf699885fd7925696927ff6fdb3cbc8b56cb09eb75fac373ad0c183c913ac76b778b1819fd85cdaf01cba61dda805d300fbe19a6

  • SSDEEP

    6144:6P14dTRyLGoEKr8ArJsnAvmqUscqS+SQCx+7UtfjSRIdukLkVTpvUzJMm1DeHa09:EsTRsG7ZA1szqS+3Cx+7LknLwWb9V6J

Malware Config

Extracted

Family

trickbot

Version

1000084

Botnet

now1

C2

187.188.162.150:449

185.28.63.109:449

83.0.245.234:449

213.241.29.89:449

62.109.31.123:443

92.63.106.191:443

92.63.107.14:443

82.146.62.66:443

92.63.107.222:443

92.63.104.211:443

62.109.25.3:443

188.120.241.27:443

179.43.160.41:443

185.158.114.143:443

179.43.147.220:443

92.53.67.7:443

78.155.206.172:443

62.109.27.155:443

62.109.26.208:443

37.230.113.231:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      8b874c3100add07aaafd5ffbae6af5e6

    • Size

      432KB

    • MD5

      8b874c3100add07aaafd5ffbae6af5e6

    • SHA1

      ccd9d9a0c2d5e79a01ccb70a71595eb87674ce8b

    • SHA256

      65c48bb0a15c08365401769c1a36810bbc3ae81cad63457dd9b7c1056fc6cd4c

    • SHA512

      bba3f843a8859270e970453ebf699885fd7925696927ff6fdb3cbc8b56cb09eb75fac373ad0c183c913ac76b778b1819fd85cdaf01cba61dda805d300fbe19a6

    • SSDEEP

      6144:6P14dTRyLGoEKr8ArJsnAvmqUscqS+SQCx+7UtfjSRIdukLkVTpvUzJMm1DeHa09:EsTRsG7ZA1szqS+3Cx+7LknLwWb9V6J

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks