trickbot | 274b6668d5fafddcdbf6fb0897eaad9d1528fb44e114f0c653837dccc3e5d4d1 | Triage

Sharing

General

Target

43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118
Size

359KB
Sample

240514-2z57ssdc99
MD5

43751b17fc3c524fb11479fbc83a5a22
SHA1

b527bdb326b51e6cc99ce09a4057271af1046faa
SHA256

274b6668d5fafddcdbf6fb0897eaad9d1528fb44e114f0c653837dccc3e5d4d1
SHA512

91b5da875aa3510b9cd2cccdbc10f085ae797663c96d673ab776f07f1a198f88e0f38f313ab2295f5a884eab1d04df0d41e16e0eb27ae73b21f78ae4c374dbb1
SSDEEP

6144:NDepQqB6VUAeMXMybf48e9L5+LwzEEy5FEFgYWgHHvgR3Chr5va+A3s5bA4vT4ow:NDep8V1dYRV5+LhVqnWChrg3sxA4v0ow

Score

10^/10

trickbot tot353 banker evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000299

Botnet

tot353

C2

91.235.128.140:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

188.68.209.153:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118
- Size
  
  359KB
- MD5
  
  43751b17fc3c524fb11479fbc83a5a22
- SHA1
  
  b527bdb326b51e6cc99ce09a4057271af1046faa
- SHA256
  
  274b6668d5fafddcdbf6fb0897eaad9d1528fb44e114f0c653837dccc3e5d4d1
- SHA512
  
  91b5da875aa3510b9cd2cccdbc10f085ae797663c96d673ab776f07f1a198f88e0f38f313ab2295f5a884eab1d04df0d41e16e0eb27ae73b21f78ae4c374dbb1
- SSDEEP
  
  6144:NDepQqB6VUAeMXMybf48e9L5+LwzEEy5FEFgYWgHHvgR3Chr5va+A3s5bA4vT4ow:NDep8V1dYRV5+LhVqnWChrg3sxA4v0ow
Score

10^/10

trickbot tot353 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot353bankerevasionexecutiontrojan

behavioral2

trickbottot353bankerpersistencetrojan