trickbot | ddc910b0ad32a30ad4b0d98da9ff8d46e60d674ec66891f200a8dad6339d4f58 | Triage

Sharing

General

Target

a7646109d58311c20db8e2167eb1fbf4_JaffaCakes118
Size

384KB
Sample

240614-a6mv9ayblc
MD5

a7646109d58311c20db8e2167eb1fbf4
SHA1

615cda582a19f6abc8634ab2744358c40f25482e
SHA256

ddc910b0ad32a30ad4b0d98da9ff8d46e60d674ec66891f200a8dad6339d4f58
SHA512

00dc69cfc1fae92469d6687d158441ebe2f80b823c5b74d4d8a582dfa32e47b037f28653eaf32c61f6bffb19ebd4fe30d278fdb80820a1daf87498aa3fbb8cf5
SSDEEP

6144:PaZ8OpEHPkwCmpk38F2XkHqpBg9DXpC6kaEcZuXa2a66:P5HMwrpabXkKpADXp+aEci41

Score

10^/10

trickbot tot351 banker evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000297

Botnet

tot351

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

192.3.130.29:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  a7646109d58311c20db8e2167eb1fbf4_JaffaCakes118
- Size
  
  384KB
- MD5
  
  a7646109d58311c20db8e2167eb1fbf4
- SHA1
  
  615cda582a19f6abc8634ab2744358c40f25482e
- SHA256
  
  ddc910b0ad32a30ad4b0d98da9ff8d46e60d674ec66891f200a8dad6339d4f58
- SHA512
  
  00dc69cfc1fae92469d6687d158441ebe2f80b823c5b74d4d8a582dfa32e47b037f28653eaf32c61f6bffb19ebd4fe30d278fdb80820a1daf87498aa3fbb8cf5
- SSDEEP
  
  6144:PaZ8OpEHPkwCmpk38F2XkHqpBg9DXpC6kaEcZuXa2a66:P5HMwrpabXkKpADXp+aEci41
Score

10^/10

trickbot tot351 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot351bankerevasionexecutiontrojan

behavioral2

trickbottot351bankerpersistencetrojan