trickbot | 34e3b6a0dae2cc223bf18e7cb9c84c0cafead62b3d8914a9488de9f5c76d8794 | Triage

Submit
Reports

Overview

overview

Static

static

3

189ada9dc9...18.exe

windows7-x64

189ada9dc9...18.exe

windows10-2004-x64

Sharing

General

Target

189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118
Size

408KB
Sample

240505-vr4wfaah85
MD5

189ada9dc9ca6a101df62effdaf4e733
SHA1

b8be1b171a1b8b63706ca450f8fee514fc925b6d
SHA256

34e3b6a0dae2cc223bf18e7cb9c84c0cafead62b3d8914a9488de9f5c76d8794
SHA512

ecfdf797a8cf4316c786cd56fd6e7431529b985b446b9d388797b070fb4bba6ff4f6eeed6c488b42c8dfc584d1e5e94f5c53dcc550d02b401dd463b34fb06312
SSDEEP

12288:ikRCRTrqXyp0uqyNlz7n7SEQ8eskJKKP:FRCRT+CKNKlXi7i

Score

10^/10

trickbot jim252 banker evasion execution persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe

Resource

win7-20240221-en

trickbot jim252 banker evasion execution trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe

Resource

win10v2004-20240419-en

trickbot jim252 banker persistence trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

trickbot

Version

1000213

Botnet

jim252

C2

138.34.32.218:443

86.61.177.139:443

188.124.167.132:449

93.109.242.134:443

62.31.150.202:443

158.58.131.54:443

36.74.100.211:449

66.229.97.133:443

200.111.167.227:449

109.86.227.152:443

85.172.38.59:449

67.162.236.158:443

66.232.212.59:443

80.53.57.146:443

182.253.210.130:449

155.133.31.21:449

176.222.255.2:443

209.121.142.202:449

138.34.32.74:443

209.121.142.214:449

144.48.51.8:443

199.250.230.169:443

92.53.66.78:443

195.54.163.93:443

185.159.129.78:443

185.174.172.249:443

109.234.37.52:443

37.46.135.218:443

94.103.82.239:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118
- Size
  
  408KB
- MD5
  
  189ada9dc9ca6a101df62effdaf4e733
- SHA1
  
  b8be1b171a1b8b63706ca450f8fee514fc925b6d
- SHA256
  
  34e3b6a0dae2cc223bf18e7cb9c84c0cafead62b3d8914a9488de9f5c76d8794
- SHA512
  
  ecfdf797a8cf4316c786cd56fd6e7431529b985b446b9d388797b070fb4bba6ff4f6eeed6c488b42c8dfc584d1e5e94f5c53dcc550d02b401dd463b34fb06312
- SSDEEP
  
  12288:ikRCRTrqXyp0uqyNlz7n7SEQ8eskJKKP:FRCRT+CKNKlXi7i
Score

10^/10

trickbot jim252 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotjim252bankerevasionexecutiontrojan

behavioral2

trickbotjim252bankerpersistencetrojan

© 2018-2025

Terms | Privacy