trickbot | 294869aea11e991d49a4d0a9fabd330f351dc6a64f21f8bd87230367a116d39a | Triage

Submit
Reports

Overview

overview

Static

static

3

d98badb54f...18.exe

windows7-x64

d98badb54f...18.exe

windows10-2004-x64

Sharing

General

Target

d98badb54f293a925359e74dad2e05cd_JaffaCakes118
Size

287KB
Sample

240911-d775cszhnq
MD5

d98badb54f293a925359e74dad2e05cd
SHA1

6383c82b072fed7dc09dae67266c52f3824e6b44
SHA256

294869aea11e991d49a4d0a9fabd330f351dc6a64f21f8bd87230367a116d39a
SHA512

37916b25e1ed57fed2b598b7f35ddccc9c38088afa02b57eb6f6ea8bb2e9dc75a27b6b0cfb9e9d7014cff5dd653b2a40defabe7cd906a8267d386e68957fd274
SSDEEP

6144:v0XB7dmHXFnz0Dmv8H9Y6O9pMyCyCUoKDCSWK9cSZF2lJbn9NT:v0R74HX9z0DfH9Y6fdlyJAZnb

Score

10^/10

trickbot ser0711 banker discovery evasion execution trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe

Resource

win7-20240903-en

trickbot ser0711 banker discovery evasion execution trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe

Resource

win10v2004-20240802-en

trickbot banker discovery trojan

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

trickbot

Version

1000226

Botnet

ser0711

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

96.31.109.51:443

90.69.224.122:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

138.34.32.74:443

185.129.193.221:443

98.202.78.246:443

92.53.78.224:443

82.202.221.163:443

82.202.221.78:443

195.54.163.122:443

195.133.48.175:443

89.223.90.157:443

85.143.220.154:443

82.202.236.5:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  d98badb54f293a925359e74dad2e05cd_JaffaCakes118
- Size
  
  287KB
- MD5
  
  d98badb54f293a925359e74dad2e05cd
- SHA1
  
  6383c82b072fed7dc09dae67266c52f3824e6b44
- SHA256
  
  294869aea11e991d49a4d0a9fabd330f351dc6a64f21f8bd87230367a116d39a
- SHA512
  
  37916b25e1ed57fed2b598b7f35ddccc9c38088afa02b57eb6f6ea8bb2e9dc75a27b6b0cfb9e9d7014cff5dd653b2a40defabe7cd906a8267d386e68957fd274
- SSDEEP
  
  6144:v0XB7dmHXFnz0Dmv8H9Y6O9pMyCyCUoKDCSWK9cSZF2lJbn9NT:v0R74HX9z0DfH9Y6fdlyJAZnb
Score

10^/10

trickbot ser0711 banker discovery evasion execution trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotser0711bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotbankerdiscoverytrojan

© 2018-2024

Terms | Privacy