Let’s Learn: Extracting Trickbot Banker IOCs

Goal: Extract indicators of compromise related to Trickbot’s serv710 campaign by tracing WriteFile function. All in all, reversing basic Trickbot functions is rather trivial.
Credit: @dvk01uk -> https://myonlinesecurity.co.uk/yet-another-spoofed-hm-revenue-customs-secure-communication-malspam-delivering-trickbot-banking-trojan/


I. Trickbot’s “ser710” main config:

1000027ser710194.87.95[.]60:443190.228[.]169.106:44394.42.91[.]27:443118.91.178[.]114:443186.103.161[.]204:443163.53.206[.]187:44346.160.165[.]16:443191.7.30[.]30:44346.160.165[.]31:443197.248.210[.]150:443
195.133.201[.]149:44394.140.121[.]250:44383.234.136[.]55:44393.99.68[.]140:443118.91.178[.]145:443168.194.82[.]174:443190.34.158[.]250:443

II. Here is the Trickbot server config:

..1514678400
195.69.196[.]77:447
91.206.4[.]216:447
189.84.113[.]83:447
118.91.178[.]98:447
195.2.253[.]95:447
195.133.49[.]207:447
194.87.235[.]155:447
 


III. Trickbot’s module config is as follows:


yesyes


<conf ctl=“dpost” file=”dpost” period=”60″/>

197.248.210[.]150:443
195.133.201[.]149:443
94.140.121[.]250:443
83.234.136[.]55:443
93.99.68[.]140:443118.91.178[.]145:443168.194.82[.]174:443
190.34.158[.]250:443

<module name="injectDll”/>

IV. Trickbot also contains importDll32, mailsearcher32, systeminfo32, injectDll32 and outlookDl32 modules.

V. Trickbot also installs certificate and collects host information as follows:

VI. Observed redacted webinject modulestargeting international financial institutions:


A. REDACTED*
REDACTED*
ccsarewkpsmofyibdhqcgvnltzxj[.]net
91.247.37[.]9:443


B.  REDACTED*
 REDACTED*
qasaswzlpmdufjxevhociqngybrt[.]net
*/error_path/404[.]html*
91.247.37[.]9:443


Observed Trickbot Network Calls:

*UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

  • /ser710/…/5/sinj/
  • /ser710/…/10/62/HZYRBNEEKG/1/
  • /ser710/…/5/mailsearcher32/
  • /ser710/…/1/Yi72wVESSb7gGU47/ 
  • /ser710/…/1/ualliSoSstzF12hYpHOt/
  • /ser710/…/1/7Faztb8AfD8pdO2ysayPh1ydPEdaZr75/ 
  • /ser710/…/5/injectDll32/
  • /ser710/…/64/importDll/Firefox/grabber/ 
  • /ser710/…/64/importDll/DebugLog/grabber/ 
  • /ser710/…/64/outlookDll/getdata/test/
  • /ser710/…/284115/

Miscellaneous:

I. mailconf

no








Mailsearcher PDB: C:\Work\Email_grabber\Win32\Release\mailsearcher[.]pdb


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: