trickbot | 1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534 | Triage

Sharing

General

Target

fa04235f2c1acd6e551ec5ffecdcf71b_JaffaCakes118
Size

299KB
Sample

240927-jrze6svgld
MD5

fa04235f2c1acd6e551ec5ffecdcf71b
SHA1

3b7d78b3cf06f6b0caa20b7b8ae9dc395548a723
SHA256

1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534
SHA512

6d1ee393551222413f3f07252ef7201b51047ef4b76dd8cdc74e2477e3be784dd2866d17da2481c79945b9bb9574bf2a4a6a923c43d9cb4432dd6a814cf73c67
SSDEEP

6144:HAemIDCLNJHnjIxTjJHfn0lkQGCXtZnALh7pBuc:g6KExT98lRXw7pB

Score

10^/10

trickbot lib314 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000263

Botnet

lib314

C2

118.97.119.218:449

94.181.47.198:449

144.121.143.129:449

185.200.60.138:449

185.42.52.126:449

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

82.222.40.119:449

97.78.222.18:449

67.79.15.106:449

168.167.87.79:443

103.111.53.126:449

182.253.20.66:449

192.188.120.164:443

81.17.86.112:443

95.154.80.154:449

46.149.182.112:449

69.9.232.167:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  fa04235f2c1acd6e551ec5ffecdcf71b_JaffaCakes118
- Size
  
  299KB
- MD5
  
  fa04235f2c1acd6e551ec5ffecdcf71b
- SHA1
  
  3b7d78b3cf06f6b0caa20b7b8ae9dc395548a723
- SHA256
  
  1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534
- SHA512
  
  6d1ee393551222413f3f07252ef7201b51047ef4b76dd8cdc74e2477e3be784dd2866d17da2481c79945b9bb9574bf2a4a6a923c43d9cb4432dd6a814cf73c67
- SSDEEP
  
  6144:HAemIDCLNJHnjIxTjJHfn0lkQGCXtZnALh7pBuc:g6KExT98lRXw7pB
Score

10^/10

trickbot lib314 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotlib314bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotlib314bankerdiscoverypersistencetrojan