trickbot | c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812 | Triage

Sharing

General

Target

19b33b6a3364c56bec62097d1970c860_JaffaCakes118
Size

516KB
Sample

240505-3g43fsce82
MD5

19b33b6a3364c56bec62097d1970c860
SHA1

88662db7d235293855ea2b81ca43daab0b916cd8
SHA256

c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812
SHA512

a669910f5cec1c7c037a0bded475baf6ed283edca2182f0897852c9e33d7fc8274a60c992b6c2bd971c472feb6cc3d29957a895f452d918d56a0e530f005c55a
SSDEEP

6144:Kbj1hhlUuOqLAp83/I/z2h6y1wwnpcRtxSHNnylh+bv047zgaCMYSMOA6wT78:eDOq0p8vISh4wnpm4gh+bv0SzLHYob

Score

10^/10

trickbot sat22 banker evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000235

Botnet

sat22

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

198.53.63.120:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

24.231.0.139:443

84.237.228.13:443

138.34.32.19:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  19b33b6a3364c56bec62097d1970c860_JaffaCakes118
- Size
  
  516KB
- MD5
  
  19b33b6a3364c56bec62097d1970c860
- SHA1
  
  88662db7d235293855ea2b81ca43daab0b916cd8
- SHA256
  
  c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812
- SHA512
  
  a669910f5cec1c7c037a0bded475baf6ed283edca2182f0897852c9e33d7fc8274a60c992b6c2bd971c472feb6cc3d29957a895f452d918d56a0e530f005c55a
- SSDEEP
  
  6144:Kbj1hhlUuOqLAp83/I/z2h6y1wwnpcRtxSHNnylh+bv047zgaCMYSMOA6wT78:eDOq0p8vISh4wnpm4gh+bv0SzLHYob
Score

10^/10

trickbot sat22 banker evasion execution trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotsat22bankerevasionexecutiontrojan

behavioral2

trickbotbankertrojan