Overview

overview

10

Static

static

3

80167e487d...18.exe

windows7-x64

10

80167e487d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    80167e487d931aaf9766d50b4298bdbc_JaffaCakes118

  • Size

    548KB

  • Sample

    240529-j96l7shb83

  • MD5

    80167e487d931aaf9766d50b4298bdbc

  • SHA1

    24bc904fa525f1dff86d3e747074037e0013940f

  • SHA256

    c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713

  • SHA512

    d15ca1704fe9917ae8aef211334baa01283a52a1b37e8086abf929b3f5bdb518b75e2532d545dc5e865563c3b99b6447ef31a2de87ed52ea85396af6790c25f1

  • SSDEEP

    6144:PTurNmZWPFVBAKNtcda1BObGg4WmwDtYnXutCM2k2wSF+gjoI:7MFbFKaLVWHYXsCvKlgUI

Score
10/10
trickbotlib371bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000315

Botnet

lib371

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      80167e487d931aaf9766d50b4298bdbc_JaffaCakes118

    • Size

      548KB

    • MD5

      80167e487d931aaf9766d50b4298bdbc

    • SHA1

      24bc904fa525f1dff86d3e747074037e0013940f

    • SHA256

      c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713

    • SHA512

      d15ca1704fe9917ae8aef211334baa01283a52a1b37e8086abf929b3f5bdb518b75e2532d545dc5e865563c3b99b6447ef31a2de87ed52ea85396af6790c25f1

    • SSDEEP

      6144:PTurNmZWPFVBAKNtcda1BObGg4WmwDtYnXutCM2k2wSF+gjoI:7MFbFKaLVWHYXsCvKlgUI

    Score
    10/10
    trickbotlib371bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks