trickbot | 4cb091dae792fb1542b48ddd5b3bbc1fd75c4e1c8f94209e1a177d6e50cfde4f | Triage

Sharing

General

Target

ca6769a67e862c2229018fefb5f126b4_JaffaCakes118
Size

360KB
Sample

240830-h3ygkstcrj
MD5

ca6769a67e862c2229018fefb5f126b4
SHA1

893a49c7dbc1b03d959dc3dc81bde356e6741b4c
SHA256

4cb091dae792fb1542b48ddd5b3bbc1fd75c4e1c8f94209e1a177d6e50cfde4f
SHA512

84a464d0707aba9728f99c5bea0c51e63ab84a87f2c966932d0d03049fe22d789843f588d796ae68d47fd61f12f4c32c3ed8fb74a55082396315e3a46b492577
SSDEEP

6144:7A+XkYJzkRA+n7igs1eMjVryvK2Li6ZEPQ++Rvhyi36PfJZTsuQ:E+jJzkK+7igs1e2raDu6Z/ZVhyiQf3TG

Score

10^/10

trickbot lib334 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000281

Botnet

lib334

C2

91.201.65.119:443

68.3.14.71:443

31.31.161.165:449

91.235.128.207:443

181.113.17.230:449

47.214.185.205:443

94.250.248.165:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

92.223.105.252:443

182.50.64.148:449

187.190.249.230:443

78.155.199.46:443

82.222.40.119:449

198.100.157.163:443

91.235.128.186:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  ca6769a67e862c2229018fefb5f126b4_JaffaCakes118
- Size
  
  360KB
- MD5
  
  ca6769a67e862c2229018fefb5f126b4
- SHA1
  
  893a49c7dbc1b03d959dc3dc81bde356e6741b4c
- SHA256
  
  4cb091dae792fb1542b48ddd5b3bbc1fd75c4e1c8f94209e1a177d6e50cfde4f
- SHA512
  
  84a464d0707aba9728f99c5bea0c51e63ab84a87f2c966932d0d03049fe22d789843f588d796ae68d47fd61f12f4c32c3ed8fb74a55082396315e3a46b492577
- SSDEEP
  
  6144:7A+XkYJzkRA+n7igs1eMjVryvK2Li6ZEPQ++Rvhyi36PfJZTsuQ:E+jJzkK+7igs1e2raDu6Z/ZVhyiQf3TG
Score

10^/10

trickbot lib334 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotlib334bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotlib334bankerdiscoverypersistencetrojan