trickbot | f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107 | Triage

Sharing

General

Target

74ba5e610af8da17018aeb37ed6fa834JaffaCakes118
Size

361KB
Sample

240531-dqfzjsdb3t
MD5

74ba5e610af8da17018aeb37ed6fa834
SHA1

d3ca5eef27592370fa380729c83cbf7d49092244
SHA256

f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
SHA512

a66003a07e50f55a2d9d5eb0c5fdcc84e39362c3d1a97f8e7945b9b7995b0f109ffa1de75e242eec36bcd32824b9215040491b78374ac959e91fc6bde7d55d7e
SSDEEP

6144:6611x/ddyenQQU6wdLyTMnYtesyPLWJuUGq5BOf7aWpmJCp:6axvtn3LwdWCY3yO5jOzaWpmJ

Score

10^/10

trickbot ser0924 banker evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000265

Botnet

ser0924

C2

118.97.119.218:449

94.181.47.198:449

144.121.143.129:449

185.200.60.138:449

185.42.52.126:449

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

82.222.40.119:449

203.176.132.102:449

103.110.91.118:449

128.201.92.41:449

103.111.53.126:449

182.253.20.66:449

103.10.145.197:449

81.17.86.112:443

95.154.80.154:449

46.149.182.112:449

109.95.113.227:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  74ba5e610af8da17018aeb37ed6fa834JaffaCakes118
- Size
  
  361KB
- MD5
  
  74ba5e610af8da17018aeb37ed6fa834
- SHA1
  
  d3ca5eef27592370fa380729c83cbf7d49092244
- SHA256
  
  f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
- SHA512
  
  a66003a07e50f55a2d9d5eb0c5fdcc84e39362c3d1a97f8e7945b9b7995b0f109ffa1de75e242eec36bcd32824b9215040491b78374ac959e91fc6bde7d55d7e
- SSDEEP
  
  6144:6611x/ddyenQQU6wdLyTMnYtesyPLWJuUGq5BOf7aWpmJCp:6axvtn3LwdWCY3yO5jOzaWpmJ
Score

10^/10

trickbot ser0924 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotser0924bankerevasionexecutiontrojan

behavioral2

trickbotser0924bankerpersistencetrojan