General

  • Target

    kpsiwn.zip

  • Size

    275KB

  • Sample

    201221-tbmr9vdc86

  • MD5

    b65cc2f110d97046586b951abe00d4ad

  • SHA1

    c763fe8553306d5ee05bba0f04fc8cf4625b7c23

  • SHA256

    dfbf77195c1011a196e0595a0511e2b6beb4b3f87c8a7fd8ec2a12c0e9812afb

  • SHA512

    e628cbb9e85a70eff938c0f729cb2ebce00da6bdc5982abb9cc82acbf52834ac4e67f591164a9341718a92978074730d25b3a3276bb7669f762c7da52ccd7074

Malware Config

Extracted

Family

trickbot

Version

100007

Botnet

mor1

C2

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      kpsiwn.exe

    • Size

      341KB

    • MD5

      4103d97c7cad79f050901aace0d9fbe0

    • SHA1

      dead0bd2345e9769b5545f4ff628e5c59fb5ef9e

    • SHA256

      e410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00

    • SHA512

      390513fba9908a4f84a2f49174d573f8c0c45d9aa17ed5fb0300fe4f1eb85873eda4ed221f82d36ed629a06d0b1edd3983c10a5904949eae7d237753ab77ec57

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks