trickbot | b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a | Triage

Sharing

General

Target

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118
Size

557KB
Sample

240518-29vh2sdg22
MD5

575913faf1c99f4bf044a0ee4bc2f9e8
SHA1

7945e3a56d92020bb356e288b648ec476b264495
SHA256

b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
SHA512

0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f
SSDEEP

6144:R3xoAWEO6EIZY/ULlAeFWmRhC9o0n/wqfkErNhpIyiTJUnff3admj49U26F5UUdB:5qAWy7CyCln3F5hKTkfImj4eiMbGO

Score

10^/10

trickbot ser1005 banker evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000273

Botnet

ser1005

C2

185.251.39.118:443

94.181.47.198:449

31.31.161.165:449

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

92.223.105.210:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

31.179.162.86:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118
- Size
  
  557KB
- MD5
  
  575913faf1c99f4bf044a0ee4bc2f9e8
- SHA1
  
  7945e3a56d92020bb356e288b648ec476b264495
- SHA256
  
  b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
- SHA512
  
  0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f
- SSDEEP
  
  6144:R3xoAWEO6EIZY/ULlAeFWmRhC9o0n/wqfkErNhpIyiTJUnff3admj49U26F5UUdB:5qAWy7CyCln3F5hKTkfImj4eiMbGO
Score

10^/10

trickbot ser1005 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotser1005bankerevasionexecutiontrojan

behavioral2

trickbotser1005bankerpersistencetrojan