trickbot | e7638cdc2efcbfe15e47873199e69acb7557c6de78969dd6bab656896386e4a9 | Triage

Sharing

General

Target

d54d23f5fdbf03c102598d85742ac004_JaffaCakes118
Size

572KB
Sample

240908-3nw1es1dlq
MD5

d54d23f5fdbf03c102598d85742ac004
SHA1

c16a75322df05c9ee837b4443f6fb236523ef0f7
SHA256

e7638cdc2efcbfe15e47873199e69acb7557c6de78969dd6bab656896386e4a9
SHA512

8bc25eaacfc19bb83d164756978b20a9d7ed49a30457be208de5c292bf2fc894ef995031ece21e319c6746f6f91616f02b5e5c9ce898e57a1d95543f72d5fb79
SSDEEP

12288:IygFNIq7ECxVakKdlB2nToJ37RVtBq8H:IymhAIu2nQVVHx

Score

10^/10

trickbot ser0829us banker discovery evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000252

Botnet

ser0829us

C2

195.54.163.150:443

168.167.51.10:443

178.116.83.49:443

176.114.66.20:449

162.212.112.175:449

158.58.131.54:443

104.254.10.200:449

118.200.151.113:443

41.211.9.234:449

178.78.202.189:443

109.173.104.236:449

212.225.214.249:449

81.17.86.112:443

41.189.173.18:443

46.149.182.112:449

197.232.243.36:449

198.164.250.111:449

47.49.168.50:443

70.79.178.120:449

68.109.83.22:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  d54d23f5fdbf03c102598d85742ac004_JaffaCakes118
- Size
  
  572KB
- MD5
  
  d54d23f5fdbf03c102598d85742ac004
- SHA1
  
  c16a75322df05c9ee837b4443f6fb236523ef0f7
- SHA256
  
  e7638cdc2efcbfe15e47873199e69acb7557c6de78969dd6bab656896386e4a9
- SHA512
  
  8bc25eaacfc19bb83d164756978b20a9d7ed49a30457be208de5c292bf2fc894ef995031ece21e319c6746f6f91616f02b5e5c9ce898e57a1d95543f72d5fb79
- SSDEEP
  
  12288:IygFNIq7ECxVakKdlB2nToJ37RVtBq8H:IymhAIu2nQVVHx
Score

10^/10

trickbot banker discovery evasion execution trojan ser0829us
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotbankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotser0829usbankerdiscoverytrojan