trickbot | 10001f3da1757be0861df508d85434fbf6c6c422ad9e388d8e37cc7861a0bbea | Triage

Sharing

General

Target

c5c6865deadd8801977c7e46d28ce000_JaffaCakes118
Size

564KB
Sample

240827-1bl9casere
MD5

c5c6865deadd8801977c7e46d28ce000
SHA1

8b1f99bfa477d5f9fd3400565bf07e787fe0f56f
SHA256

10001f3da1757be0861df508d85434fbf6c6c422ad9e388d8e37cc7861a0bbea
SHA512

51956613da7bb0f8a08f77476138e7f4f8f22ff5cccc50b918e3d2b55adfa05a01b22b4e3388de2fcdd3b8f3fd7cc0f568295610fbd6a9f8c61125f7223ab068
SSDEEP

6144:bYVN5v7dpG5AQEDZpjx3z04mWr9ZinL13daCWlhsqx6O7bIUnbBucU4k3mjb3NJV:035v5pG5vEDj10uiL13soOpBQ4k/MbGu

Score

10^/10

trickbot sat77 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000276

Botnet

sat77

C2

92.38.149.25:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

91.201.65.89:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  c5c6865deadd8801977c7e46d28ce000_JaffaCakes118
- Size
  
  564KB
- MD5
  
  c5c6865deadd8801977c7e46d28ce000
- SHA1
  
  8b1f99bfa477d5f9fd3400565bf07e787fe0f56f
- SHA256
  
  10001f3da1757be0861df508d85434fbf6c6c422ad9e388d8e37cc7861a0bbea
- SHA512
  
  51956613da7bb0f8a08f77476138e7f4f8f22ff5cccc50b918e3d2b55adfa05a01b22b4e3388de2fcdd3b8f3fd7cc0f568295610fbd6a9f8c61125f7223ab068
- SSDEEP
  
  6144:bYVN5v7dpG5AQEDZpjx3z04mWr9ZinL13daCWlhsqx6O7bIUnbBucU4k3mjb3NJV:035v5pG5vEDj10uiL13soOpBQ4k/MbGu
Score

10^/10

trickbot sat77 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotsat77bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotsat77bankerdiscoverypersistencetrojan