trickbot | 5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325 | Triage

Sharing

General

Target

d61ca02b30b949fcc13e1876304a66a4_JaffaCakes118
Size

565KB
Sample

240909-l94tqavgla
MD5

d61ca02b30b949fcc13e1876304a66a4
SHA1

c33de07051e054c0ddeacdbcea94a348681d9233
SHA256

5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325
SHA512

0c3e7e023c85a4cbe4c285ca8d3fd87d5a3ae65dc5cdc263e78c68956bc07af3457d20bedee31364faf1acd21044bac531106d92488f4a5ab6cc924fd8361f53
SSDEEP

6144:OtNFZSWXD/Q9Z9OOOeh0znqNZX4tjKMQjmUvgqBUnZBucD4f4RTg1EoGhw2/K67/:UjZS+D/Qv9O0xqjK/jmjBH4gxMbGZ

Score

10^/10

trickbot sat76 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000275

Botnet

sat76

C2

51.68.184.101:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

185.251.38.178:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  d61ca02b30b949fcc13e1876304a66a4_JaffaCakes118
- Size
  
  565KB
- MD5
  
  d61ca02b30b949fcc13e1876304a66a4
- SHA1
  
  c33de07051e054c0ddeacdbcea94a348681d9233
- SHA256
  
  5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325
- SHA512
  
  0c3e7e023c85a4cbe4c285ca8d3fd87d5a3ae65dc5cdc263e78c68956bc07af3457d20bedee31364faf1acd21044bac531106d92488f4a5ab6cc924fd8361f53
- SSDEEP
  
  6144:OtNFZSWXD/Q9Z9OOOeh0znqNZX4tjKMQjmUvgqBUnZBucD4f4RTg1EoGhw2/K67/:UjZS+D/Qv9O0xqjK/jmjBH4gxMbGZ
Score

10^/10

trickbot sat76 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotsat76bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotsat76bankerdiscoverypersistencetrojan