Severity

High

Analysis Summary

Trickbot is an information stealer/banking malware that uses modules to perform different functions.  With Windows 10, these modules are loaded into memory, and we only see initial Trickbot binary and a text-based configuration file stored on the infected Windows 10 host.Access to Trickbot-infected hosts is granted to other criminals groups to distribute other malware like Ryuk ransomware.  This sort of follow-up malware has previously been noted in conjunction with Powershell Empire traffic and/or Cobalt Strike activity on a Trickbot-infected host. 

 

Flow chart for this specific gtag red5 Trickbot infection chain

Impact

• Credential Theft
• Unauthorized Remote Access
• Information theft
• System takeover

Indicators of Compromise

Domain Name

• api[.]ipify[.]org

MD5

• a98c28d9666e6050b2c76d0062342078
• 62ded00158221fd7b3e678b9d9edbd7b
• 0c7cecfb65b75141f98a0485c2e9849e
• 64574f1a3b4d554322279a238c7943f1
• 5ac573a39dbf6b4c6e0ad9a45ae70419
• bfa4848b24e4266201aee7a54465a6c3

SHA-256

• c0fe570561cc3546ed7e03523baf5e482ec9ee98e6a8de161fdc885f6721f0a0
• 36ef77fe7b4a27813c8149674565f60aceb2fa9510e04732ef53367ce3dc567a
• 08b885ccc3eda61a918bd1887b7669e54d03be79a3accae765c10cd0850ff10d
• 445716d2fdd0cc8927c02bda53f44cba82f3a934d1a6cb9163760544b3e515e9
• efb75ce7030fc32190909048fcb3fab024cb8779b9559a417b8d397352ae6ea2
• 3850e5731f9f1430eafd477b5e0607aad48f80bb28e32d163b941414db7f1695

Source IP

• 203[.]176[.]135[.]102
• 51[.]89[.]115[.]101
• 51[.]254[.]164[.]245
• 64[.]44[.]51[.]113
• 181[.]129[.]104[.]139
• 146[.]185[.]253[.]176
• 46[.]4[.]167[.]250

URL

• http[:]//51[.]89[.]115[.]101/images/cursor[.]png
• http[:]//51[.]89[.]115[.]101/images/imgpaper[.]png
• http[:]//203[.]176[.]135[.]102[:]8082

Remediation

• Block the threat indicators at their respective controls.
• Do not download untrusted files from emails or internet.
• Do not enable macros for untrusted files.
• Closely monitor ports 443, 447, 449, 8082 and 80, and keep them closed where not needed.