trickbot | 225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6 | Triage

Sharing

General

Target

b1f04b467115b366a8d8b76fd4da6cc7_JaffaCakes118
Size

299KB
Sample

240821-d1kqgsxhkc
MD5

b1f04b467115b366a8d8b76fd4da6cc7
SHA1

860f3a96d57984d0112521e9eb31e30ed2498033
SHA256

225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6
SHA512

80f3ddefaf0627e12cf7569afb83789384788e9cd65aea4a7eb8f3f030469fd067e4e4c029512857ee28c2011e8076d1d97ac676524c79bf987dc337f088d5ae
SSDEEP

6144:eAiBe5v1c1TGVMftOGoBButUAG7l7eNwVIeCi0a5bZq/4kCBuc:xig5y9i2OrIUAG7l7eNwVI6vKAkCB

Score

10^/10

trickbot tot314 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000263

Botnet

tot314

C2

118.97.119.218:449

94.181.47.198:449

144.121.143.129:449

185.200.60.138:449

185.42.52.126:449

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

82.222.40.119:449

97.78.222.18:449

67.79.15.106:449

168.167.87.79:443

103.111.53.126:449

182.253.20.66:449

192.188.120.164:443

81.17.86.112:443

95.154.80.154:449

46.149.182.112:449

69.9.232.167:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  b1f04b467115b366a8d8b76fd4da6cc7_JaffaCakes118
- Size
  
  299KB
- MD5
  
  b1f04b467115b366a8d8b76fd4da6cc7
- SHA1
  
  860f3a96d57984d0112521e9eb31e30ed2498033
- SHA256
  
  225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6
- SHA512
  
  80f3ddefaf0627e12cf7569afb83789384788e9cd65aea4a7eb8f3f030469fd067e4e4c029512857ee28c2011e8076d1d97ac676524c79bf987dc337f088d5ae
- SSDEEP
  
  6144:eAiBe5v1c1TGVMftOGoBButUAG7l7eNwVIeCi0a5bZq/4kCBuc:xig5y9i2OrIUAG7l7eNwVI6vKAkCB
Score

10^/10

trickbot tot314 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot314bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbottot314bankerdiscoverypersistencetrojan