trickbot | 5372e8b0e4f6faefe0da17b4e81fb0eb1554c0b5e2d3ce5500d70d1e6511f436 | Triage

Submit
Reports

Overview

overview

Static

static

3

213f7ad750...18.exe

windows7-x64

213f7ad750...18.exe

windows10-2004-x64

Sharing

General

Target

213f7ad750d19a54261036b1af0d4d47_JaffaCakes118
Size

412KB
Sample

240507-xhx3msac2y
MD5

213f7ad750d19a54261036b1af0d4d47
SHA1

d476f107e55c90c063b7a49ca63292cd0402f5d7
SHA256

5372e8b0e4f6faefe0da17b4e81fb0eb1554c0b5e2d3ce5500d70d1e6511f436
SHA512

d65b01b82b294a07f3eed069ad7836c401493819670f60b29c02b5e5dbe18ceffa2f57176e8e6989505ea3213deb493a794b7692bb802e172ce7a990099075a0
SSDEEP

6144:vhltaynk6tHuwvi2MQYP+kS764me2Z3yrD6VFhvpLb:vUKk6tHuQiRJPjwmeY+6FJb

Score

10^/10

trickbot tot271 banker evasion execution persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe

Resource

win7-20240220-en

trickbot tot271 banker evasion execution trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe

Resource

win10v2004-20240419-en

trickbot tot271 banker persistence trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

trickbot

Version

1000231

Botnet

tot271

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

103.210.30.201:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

31.29.62.112:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

200.46.121.130:443

92.53.77.105:443

92.38.135.168:443

185.174.172.236:443

109.234.37.227:443

213.183.63.144:443

94.103.80.56:443

185.159.129.131:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  213f7ad750d19a54261036b1af0d4d47_JaffaCakes118
- Size
  
  412KB
- MD5
  
  213f7ad750d19a54261036b1af0d4d47
- SHA1
  
  d476f107e55c90c063b7a49ca63292cd0402f5d7
- SHA256
  
  5372e8b0e4f6faefe0da17b4e81fb0eb1554c0b5e2d3ce5500d70d1e6511f436
- SHA512
  
  d65b01b82b294a07f3eed069ad7836c401493819670f60b29c02b5e5dbe18ceffa2f57176e8e6989505ea3213deb493a794b7692bb802e172ce7a990099075a0
- SSDEEP
  
  6144:vhltaynk6tHuwvi2MQYP+kS764me2Z3yrD6VFhvpLb:vUKk6tHuQiRJPjwmeY+6FJb
Score

10^/10

trickbot tot271 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot271bankerevasionexecutiontrojan

behavioral2

trickbottot271bankerpersistencetrojan

© 2018-2025

Terms | Privacy