ioc[.]one - OSINT Cyber Threat Intelligence Database

TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT

Show in Graph

Image Description

Common Information

Type	Value
UUID	d36272e0-8351-4891-a656-5652227a6654
Fingerprint	74d4cc68ae4bb01eb882113bc5bca7a355a556768f97a832d2540bfa49247950
Analysis status	DONE
Considered CTI value	2
Text language
Published	None
Added to db	March 10, 2024, 12:30 a.m.
Last updated	Aug. 31, 2024, 2:18 a.m.
Headline	TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT
Title	TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT
Detected Hints/Tags/Attributes	129/3/16

Source URLs

	Redirection	Url
Details	Redirection	https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
Details	Source	https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf

URL Provider

Details	Provider	Source level domain
Details	eclypsium.com	eclypsium.com

Attributes

Details	Type	#Events	CTI	Value
Details	File	10		rwdrv.sys
Details	File	3		user_platform_check.dll
Details	File	1		reg_bc.reg
Details	File	1		reg_spibar.reg
Details	File	1		reg_spibar.spi
Details	md5	2		491115422a6b94dc952982e6914adc39
Details	md5	2		257483d5d8b268d0d679956c7acdf02d
Details	md5	2		cef670f443d2335f44a1838463ea44ed
Details	sha1	2		55803cb9fd62f69293f6de21f18fd82f3e3d1d68
Details	sha1	2		fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2
Details	sha1	2		30aa28e6df66fe7b4ec643635df8187ede31db06
Details	sha256	2		c1f1bc58456cff7413d7234e348d47a8acfdc9d019ae7a4aba1afc1b3ed55ffa
Details	sha256	2		ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3
Details	sha256	2		c065e39ce4e90a5a966f76d9798cb5b962d51a3f35e3890f91047acfefa8c58e
Details	Threat Actor Identifier - APT	783		APT28
Details	Yara rule	1		rule crime_win32_perma_uefi_dll : Module { meta: author = "@VK_Intel \| Advanced Intelligence" description = "Detects TrickBot Banking module permaDll" md5 = "491115422a6b94dc952982e6914adc39" strings: $module_cfg = "moduleconfig" $str_imp_01 = "Start" $str_imp_02 = "Control" $str_imp_03 = "FreeBuffer" $str_imp_04 = "Release" $module = "user_platform_check.dll" $intro_routine = { 83 EC 40 8B ?? ?? ?? 53 8B ?? ?? ?? 55 33 ED A3 ?? ?? ?? ?? 8B ?? ?? ?? 56 57 89 ?? ?? ?? A3 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 75 ?? 8D ?? ?? ?? 89 ?? ?? ?? 50 6A 40 8D ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 85 C0 78 ?? 8B ?? ?? ?? 85 FF 74 ?? 47 57 E8 ?? ?? ?? ?? 8B F0 59 85 F6 74 ?? 57 6A 00 56 E8 ?? ?? ?? ?? 83 C4 0C EB ?? } condition: 6 of them }