trickbot | 7e714fd78badfc462f7242c70a88f0c1b728c0da8e3df1f2ba68a1c7c125ca80 | Triage

Sharing

General

Target

5247dc1d4b7c3f078f7409d0dbea6c4e_JaffaCakes118
Size

564KB
Sample

240518-aynsksbd9w
MD5

5247dc1d4b7c3f078f7409d0dbea6c4e
SHA1

3ef8dbdf15fc2b271a772fa1896d900802bb285f
SHA256

7e714fd78badfc462f7242c70a88f0c1b728c0da8e3df1f2ba68a1c7c125ca80
SHA512

3445c8b5bc08473640c8e8ddf7ba21206330c588b3aac2e179c0f43d1d6705b49cf7aa9569396aa58a5d816205cff8e6d6bc390de93b3776e46ccbb1c12aa2ff
SSDEEP

12288:G11qF3P9LWdSD+fSIIDtdOuCbB544OMbGu:FtPhDzC555OMbGu

Score

10^/10

trickbot ser1010 banker evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000275

Botnet

ser1010

C2

51.68.184.101:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

185.251.38.178:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  5247dc1d4b7c3f078f7409d0dbea6c4e_JaffaCakes118
- Size
  
  564KB
- MD5
  
  5247dc1d4b7c3f078f7409d0dbea6c4e
- SHA1
  
  3ef8dbdf15fc2b271a772fa1896d900802bb285f
- SHA256
  
  7e714fd78badfc462f7242c70a88f0c1b728c0da8e3df1f2ba68a1c7c125ca80
- SHA512
  
  3445c8b5bc08473640c8e8ddf7ba21206330c588b3aac2e179c0f43d1d6705b49cf7aa9569396aa58a5d816205cff8e6d6bc390de93b3776e46ccbb1c12aa2ff
- SSDEEP
  
  12288:G11qF3P9LWdSD+fSIIDtdOuCbB544OMbGu:FtPhDzC555OMbGu
Score

10^/10

trickbot ser1010 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotser1010bankerevasionexecutiontrojan

behavioral2

trickbotser1010bankerpersistencetrojan