trickbot | 5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22 | Triage

Submit
Reports

Overview

overview

Static

static

89ae5e21d6...18.exe

windows7-x64

89ae5e21d6...18.exe

windows10-2004-x64

Sharing

General

Target

89ae5e21d6cf455f467cfaf62350848c_JaffaCakes118
Size

159KB
Sample

240601-hrs3qadd2t
MD5

89ae5e21d6cf455f467cfaf62350848c
SHA1

e69b24e44991d6d9a2e707f19757d8b2a6222e74
SHA256

5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
SHA512

63b67c859e5a0477b5c88cc696e298cfaed6cf22357ef2e3e41f59cd76aa6e313786f509e73cf3e5309b6880af71f58eb9a24305b5841370be8ca8d75c3ee5a4
SSDEEP

3072:SH46pwuexbq0J2uKpQTbFgq5xvhPFFPZ31C72Bm+UgkrS2n2icz:04weEu7FhPbPZ319nkF

Score

10^/10

trickbot ser0516 banker evasion persistence trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

89ae5e21d6cf455f467cfaf62350848c_JaffaCakes118.exe

Resource

win7-20240221-en

trickbot ser0516 banker evasion trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

89ae5e21d6cf455f467cfaf62350848c_JaffaCakes118.exe

Resource

win10v2004-20240426-en

trickbot ser0516 banker persistence trojan

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

trickbot

Version

1000194

Botnet

ser0516

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:443

173.220.6.194:449

179.107.89.145:449

46.20.207.204:443

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:443

68.227.31.46:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

81.177.255.76:449

37.230.112.67:443

92.53.78.159:443

92.53.77.41:443

185.159.130.203:443

91.235.129.76:443

37.46.128.226:443

185.249.255.77:443

37.230.114.164:443

109.234.37.39:443

89.223.31.103:443

80.93.182.201:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  89ae5e21d6cf455f467cfaf62350848c_JaffaCakes118
- Size
  
  159KB
- MD5
  
  89ae5e21d6cf455f467cfaf62350848c
- SHA1
  
  e69b24e44991d6d9a2e707f19757d8b2a6222e74
- SHA256
  
  5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
- SHA512
  
  63b67c859e5a0477b5c88cc696e298cfaed6cf22357ef2e3e41f59cd76aa6e313786f509e73cf3e5309b6880af71f58eb9a24305b5841370be8ca8d75c3ee5a4
- SSDEEP
  
  3072:SH46pwuexbq0J2uKpQTbFgq5xvhPFFPZ31C72Bm+UgkrS2n2icz:04weEu7FhPbPZ319nkF
Score

10^/10

trickbot ser0516 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

trickbotser0516bankerevasiontrojan

behavioral2

trickbotser0516bankerpersistencetrojan

© 2018-2024

Terms | Privacy