trickbot | 66a4f5df35234205ad530a1123c7021afb75623b0e16e53143bc553b6adf595e | Triage

Sharing

General

Target

d1a457c76250cd0ad73385fac4ab43e4_JaffaCakes118
Size

510KB
Sample

240907-lqe19axgpc
MD5

d1a457c76250cd0ad73385fac4ab43e4
SHA1

51fafa0a3ca7887230b301a6932a1b3c8ae10982
SHA256

66a4f5df35234205ad530a1123c7021afb75623b0e16e53143bc553b6adf595e
SHA512

2eebab473b69798a73832f328de3b9ac127d77e8a90c8036a0aa1922fdb0e64ce673dfb14e0d45ce4bd6c6604286f22c93b1e907df931a69c918d10452451307
SSDEEP

12288:S0I5i9PUpF1vnXnrIGQRB9RpHRQXoEa4OoMbGv:GcQ1XxU9RldvoMbGv

Score

10^/10

trickbot tot331 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000278

Botnet

tot331

C2

92.38.149.25:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

185.251.38.85:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  d1a457c76250cd0ad73385fac4ab43e4_JaffaCakes118
- Size
  
  510KB
- MD5
  
  d1a457c76250cd0ad73385fac4ab43e4
- SHA1
  
  51fafa0a3ca7887230b301a6932a1b3c8ae10982
- SHA256
  
  66a4f5df35234205ad530a1123c7021afb75623b0e16e53143bc553b6adf595e
- SHA512
  
  2eebab473b69798a73832f328de3b9ac127d77e8a90c8036a0aa1922fdb0e64ce673dfb14e0d45ce4bd6c6604286f22c93b1e907df931a69c918d10452451307
- SSDEEP
  
  12288:S0I5i9PUpF1vnXnrIGQRB9RpHRQXoEa4OoMbGv:GcQ1XxU9RldvoMbGv
Score

10^/10

trickbot tot331 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbottot331bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbottot331bankerdiscoverypersistencetrojan