trickbot | 2c67fac475f845453339466b9c09164902a64a248ea9a87a3c736ff000af7f63 | Triage

Sharing

General

Target

c2e8650780dce959f36ce7c970002a85_JaffaCakes118
Size

417KB
Sample

240826-npd4ns1ejh
MD5

c2e8650780dce959f36ce7c970002a85
SHA1

49f5e5f341b088611d318f38072b4abe502cb126
SHA256

2c67fac475f845453339466b9c09164902a64a248ea9a87a3c736ff000af7f63
SHA512

28ea3d276e21a8122bee11093e9b79f31baf5eaf6c759a3a05e42903f2d09ac807e670757a41486054c56d1a5791620ffa87d7d157fdc9b51bf2d99f2e05bc57
SSDEEP

6144:0LP8Z80Z5MjCCHQONLBB8moFGl7xY9b+:6Unke61D8B4BxY9q

Score

10^/10

trickbot tt0002 banker discovery evasion persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000194

Botnet

tt0002

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:443

173.220.6.194:449

179.107.89.145:449

46.20.207.204:443

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:443

68.227.31.46:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

81.177.255.76:449

37.230.112.67:443

92.53.78.159:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  c2e8650780dce959f36ce7c970002a85_JaffaCakes118
- Size
  
  417KB
- MD5
  
  c2e8650780dce959f36ce7c970002a85
- SHA1
  
  49f5e5f341b088611d318f38072b4abe502cb126
- SHA256
  
  2c67fac475f845453339466b9c09164902a64a248ea9a87a3c736ff000af7f63
- SHA512
  
  28ea3d276e21a8122bee11093e9b79f31baf5eaf6c759a3a05e42903f2d09ac807e670757a41486054c56d1a5791620ffa87d7d157fdc9b51bf2d99f2e05bc57
- SSDEEP
  
  6144:0LP8Z80Z5MjCCHQONLBB8moFGl7xY9b+:6Unke61D8B4BxY9q
Score

10^/10

trickbot tt0002 banker discovery evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

trickbottt0002bankerdiscoveryevasiontrojan

behavioral2

trickbottt0002bankerdiscoverypersistencetrojan