trickbot | ac8587f6955784f9a2d6cf70bcdce024122c8ec7b459b7e9c8da99dec5d125e0 | Triage

Sharing

General

Target

c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118
Size

429KB
Sample

240828-zm3vssxdjk
MD5

c7a0cae4eeaeca56e467505b1e8f7bfe
SHA1

5898c55e1a79d2e887b41a1d94591cab84fceb39
SHA256

ac8587f6955784f9a2d6cf70bcdce024122c8ec7b459b7e9c8da99dec5d125e0
SHA512

7e98f818f68c06d86bfe7623dc9b31ca1f25ef700d2bc9748df2c6db6cec077321478699d5e41fe3ebcfd7c67993c9270620c29008ec322a67c6565a38e8ac68
SSDEEP

6144:dfajn30w5Wet/sX6k1hsny0FW2Vd++gthfF9LX75Eau81zvxrpD:dfaj3JYMyonXdVo+yvu8h

Score

10^/10

trickbot lib362 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000309

Botnet

lib362

C2

185.251.39.103:443

24.247.181.155:449

174.105.235.178:449

213.183.63.16:443

74.132.133.246:449

174.105.233.82:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118
- Size
  
  429KB
- MD5
  
  c7a0cae4eeaeca56e467505b1e8f7bfe
- SHA1
  
  5898c55e1a79d2e887b41a1d94591cab84fceb39
- SHA256
  
  ac8587f6955784f9a2d6cf70bcdce024122c8ec7b459b7e9c8da99dec5d125e0
- SHA512
  
  7e98f818f68c06d86bfe7623dc9b31ca1f25ef700d2bc9748df2c6db6cec077321478699d5e41fe3ebcfd7c67993c9270620c29008ec322a67c6565a38e8ac68
- SSDEEP
  
  6144:dfajn30w5Wet/sX6k1hsny0FW2Vd++gthfF9LX75Eau81zvxrpD:dfaj3JYMyonXdVo+yvu8h
Score

10^/10

trickbot lib362 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotlib362bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotlib362bankerdiscoverypersistencetrojan