trickbot | b71968ea01e2c2ed82e28a557f3210f3fde4caf97a1368e520650a8e2f5f459c

Sharing

Copy URL

Twitter E-mail

General

Target

2.zip
Size

7.6MB
Sample

250414-a1k5gaxyaw
MD5

a29400d43fde42181d504827b759b313
SHA1

9a408c982ae1d7b5ab3c370b703b368ed795efdf
SHA256

b71968ea01e2c2ed82e28a557f3210f3fde4caf97a1368e520650a8e2f5f459c
SHA512

38b10fada863f94d9ac68301d9c76785cb5eeec0e595a032818aefbae43452908fa4813c29fb054ab5adba040bfd56b58248f09a9fd120a7693b05791e8f6308
SSDEEP

196608:5Xq0WFROFqZk50CYQRQ/MxVLq8/0FWo4ZFSo1JpCGi:5rekqCdSM7W8/YWo4ZlpCGi

Score

10^/10

Malware Config

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/

exe.dropper

https://www.wenkawang.com/data/bofze0s-7ji4-15/

exe.dropper

https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/

exe.dropper

http://ma.jopedu.com/img/8z8dl-3xn-655019278/

exe.dropper

http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/

Targets

- Target
  
  2/VirusShare_01b55404de50bd1a56343b2f316ff88d
- Size
  
  121KB
- MD5
  
  01b55404de50bd1a56343b2f316ff88d
- SHA1
  
  8a6b9599d3e71c83eaef7f5a23df21b4f41370b1
- SHA256
  
  69bd652ace6469311a49a12f66bbbc691bdfc69aba958dd02d928464cbb46609
- SHA512
  
  f1ec4bf6768dea2edc53c72dd7c884641a464f4268d21480bb55fbdb1079b8c5c9fb50eab4b29d13acb4a8682ca6ae291341e01b748e228b185676e48df2e598
- SSDEEP
  
  3072:JrhJGtDfYtWAh3A8lKl+/63VBwxkbwQXz8lFTnc:JrhJoDfY13KE/qVlNYvnc
Score

3^/10

discovery
behavioral1
- Target
  
  2/VirusShare_1ad9a67240d5775395c45b64dd6529fa
- Size
  
  2.9MB
- MD5
  
  1ad9a67240d5775395c45b64dd6529fa
- SHA1
  
  c653d2c475f639ad68c210e0f9d829344c5663c7
- SHA256
  
  3751298058a2a5d0912caa35bfdbafa48ae788647b536e69ad383c7c1990dd9d
- SHA512
  
  721b1c577db1cfe5465eaceadf2a7cc9d3f68d341f98d7dcc4bde2ff606f359b6bc917e993f5f05e9897b7957ca2617fa03937c2aea6a8462b86f2e750397c23
- SSDEEP
  
  49152:4obi85jFGg0IZHVA/pfa8u0Ikjhd6kss8CYxB52ibDIJZKpYg0Kg9e+KgFTRFO:Vzh6/I8u0IktgkOvxBUibs2Z0ggFdE
Score

3^/10

discovery
behavioral2
- Target
  
  2/VirusShare_2fe5b00079aec2d8369a798230313ec8
- Size
  
  125KB
- MD5
  
  2fe5b00079aec2d8369a798230313ec8
- SHA1
  
  e233595a2ee62f6197fcc7d9088fce3505c38ec0
- SHA256
  
  8eb6805a0852b220695175ce81a5b139f1438dc06ea3fc1347b047702880374c
- SHA512
  
  d9b4173274b49d7f041aea1a6866d5cc79530360668299385a10f25597b608308a5cb6502363709a7e09e43d30a1df95e1ab72fcc71852c78b51da016c2bbed7
- SSDEEP
  
  3072:beKgdzSrG8KyIwLx3phgC1s0rPOWfKNR/:beKUzSLnLx3X3O0r2WfKNJ
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral3
- Target
  
  2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103
- Size
  
  35KB
- MD5
  
  3f0b1eed4b7b9ae05fab4d949843f103
- SHA1
  
  e5b9fa0a23f337adae93ed4e8fcd1e9d9db4acba
- SHA256
  
  ce21d34bafe338effb8f619936f057084cb45743fce884a1465966d8523a00a8
- SHA512
  
  292183a9d0b3e5759453a43bcf34b8b1d09d09523687bfab090dd740a5c70169938904949b1c5a025b40082898dc3ec240ad2ec788b66f256efe5a041f774740
- SSDEEP
  
  384:3+WbqwPv/ETzbVwNY/+TU5lHizK+BS3DzxW8M2GzraAzVCIXh3aM:OWbqm/EvZwO2TUrEQDtI2G31lX5
Score

1^/10
behavioral4
- Target
  
  2/VirusShare_480ef02bb062a57724e1b3e14532a140
- Size
  
  32KB
- MD5
  
  480ef02bb062a57724e1b3e14532a140
- SHA1
  
  5ea2c3fdeb0b399e1805a94d8e6af4ce0de2c63e
- SHA256
  
  b2e302356d613a814a41d356a61cee24fc133dd032e4b02d8e29436aedd8d742
- SHA512
  
  82587a541bdc570b15402ef33beb14d9681160dc6e520f0c34b3c040658d17a9ced58feaa350f3a6c56eb7236ceb4bd09ba6ece56d13113780a6fe1a5044a99f
- SSDEEP
  
  768:9EKOUP0/RXtY+E1dhX2e1kaVsVri7sF9/I70u5M/E5vXuMZmwgCLWarCC:ROc0JTE1dhX2e1kssVri7sng0u5MyXFh
Score

3^/10

discovery
behavioral5
- Target
  
  2/wedding.apk
- Size
  
  5.3MB
- MD5
  
  7a78191dad2e8baf6b372a4dc864430c
- SHA1
  
  92f7a09036d7fc1c4ada288fdb114e5e5dcb09c1
- SHA256
  
  7a42d7809fdef76fe0580d09ef6780a96c000d97712236e6550d7fff061e122a
- SHA512
  
  28ed1d04180dbf9fa7ea9561ddc112377c7d81f6ee1078ceb2fb93782cb29ff875bafc03f5906379f87060132d048ff1802748a97eb7cde9647893e5550c2c8d
- SSDEEP
  
  98304:dTUWQ8/rUKDzU87SWbFnVNyYdOYmwKOQarbcDSaBd2ZrYub+4XD:dTLHPSw7Nd8v0rr3aX4XD
Score

1^/10
behavioral6 behavioral7 behavioral8

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v16

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8