trickbot | 696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

General

Target

radiance.png.pellet.exe
Size

532KB
MD5

e8a28a5d13c44e81779b7f499224e5bf
SHA1

52cd0f52e9fab839fac42dd69a1c52aa9b9885f8
SHA256

696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
SHA512

fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Score

10^/10

trickbot tot352 banker evasion persistence spyware trojan

Malware Config

Extracted

Family

trickbot

Version

1000298

Botnet

tot352

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

188.68.209.153:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1080-2-0x00000000030C0000-0x0000000003100000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

sadiance.png.pellet.exe

pid process

2872 sadiance.png.pellet.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2872	sadiance.png.pellet.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WINYS\\sadiance.png.pellet.exe"	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

flow	ioc
12	api.ipify.org
13	api.ipify.org

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

radiance.png.pellet.exesadiance.png.pellet.exepowershell.exepowershell.exe

pid	process
1080	radiance.png.pellet.exe
1080	radiance.png.pellet.exe
1080	radiance.png.pellet.exe
1080	radiance.png.pellet.exe
1080	radiance.png.pellet.exe
1080	radiance.png.pellet.exe
2872	sadiance.png.pellet.exe
2872	sadiance.png.pellet.exe
2872	sadiance.png.pellet.exe
2872	sadiance.png.pellet.exe
2872	sadiance.png.pellet.exe
2872	sadiance.png.pellet.exe
1616	powershell.exe
2296	powershell.exe
2296	powershell.exe
1616	powershell.exe
1616	powershell.exe
2296	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2296 powershell.exe
Token: SeDebugPrivilege 1616 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

radiance.png.pellet.exesadiance.png.pellet.exe

pid process

1080 radiance.png.pellet.exe
2872 sadiance.png.pellet.exe

description	pid	process
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe

Suspicious use of WriteProcessMemory 701 IoCs

Processes:

radiance.png.pellet.execmd.execmd.execmd.exesadiance.png.pellet.exe

description	pid	process	target process
PID 1080 wrote to memory of 720	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 720	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 720	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 3292	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 3292	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 3292	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 3824	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 3824	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 3824	1080	radiance.png.pellet.exe	cmd.exe
PID 1080 wrote to memory of 2872	1080	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 1080 wrote to memory of 2872	1080	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 1080 wrote to memory of 2872	1080	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 3292 wrote to memory of 932	3292	cmd.exe	sc.exe
PID 3292 wrote to memory of 932	3292	cmd.exe	sc.exe
PID 3292 wrote to memory of 932	3292	cmd.exe	sc.exe
PID 720 wrote to memory of 2076	720	cmd.exe	sc.exe
PID 720 wrote to memory of 2076	720	cmd.exe	sc.exe
PID 720 wrote to memory of 2076	720	cmd.exe	sc.exe
PID 3824 wrote to memory of 1616	3824	cmd.exe	powershell.exe
PID 3824 wrote to memory of 1616	3824	cmd.exe	powershell.exe
PID 3824 wrote to memory of 1616	3824	cmd.exe	powershell.exe
PID 2872 wrote to memory of 500	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 500	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 500	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 1096	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 1096	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 1096	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 588	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 588	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 588	2872	sadiance.png.pellet.exe	cmd.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe
PID 2872 wrote to memory of 2136	2872	sadiance.png.pellet.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\radiance.png.pellet.exe
"C:\Users\Admin\AppData\Local\Temp\radiance.png.pellet.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
3⤵
PID:500

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
3⤵
PID:1096

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
4⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
PID:588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1e624c29d7399a3e5ffeb4c7e2f90f2e

SHA1
6bf7fac42b014ec7aa09d6b45ee1c752bbb06b30

SHA256
26ad21ea318052438f8cd932f2ebe1aba851f526b346c7ab5a01830e7df19c60

SHA512
11bc6f1f712194224d414154ef5f7a78a0ca5cfbde9951564d11d556e0e35cb7c29b8887435413b52b14de0633237e09ecf059cece2d4fc1b1c9f6446b7f5bde

Download Submit
C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
MD5
e8a28a5d13c44e81779b7f499224e5bf

SHA1
52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

SHA256
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

SHA512
fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Download Submit
C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
MD5
e8a28a5d13c44e81779b7f499224e5bf

SHA1
52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

SHA256
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

SHA512
fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Download Submit
memory/500-21-0x0000000000000000-mapping.dmp

Download
memory/588-29-0x0000000000000000-mapping.dmp

Download
memory/720-3-0x0000000000000000-mapping.dmp

Download
memory/932-15-0x0000000000000000-mapping.dmp

Download
memory/1080-7-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download
memory/1080-6-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1080-2-0x00000000030C0000-0x0000000003100000-memory.dmp

Filesize
256KB

Download
memory/1096-22-0x0000000000000000-mapping.dmp

Download
memory/1616-18-0x0000000000000000-mapping.dmp

Download
memory/1616-78-0x0000000009580000-0x0000000009581000-memory.dmp

Filesize
4KB

Download
memory/1616-72-0x0000000009090000-0x0000000009091000-memory.dmp

Filesize
4KB

Download
memory/1616-50-0x0000000007B90000-0x0000000007B91000-memory.dmp

Filesize
4KB

Download
memory/1616-48-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/1616-40-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/1616-35-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-16-0x0000000000000000-mapping.dmp

Download
memory/2136-31-0x0000000000000000-mapping.dmp

Download
memory/2136-33-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/2296-44-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/2296-46-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/2296-82-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/2296-76-0x0000000009790000-0x0000000009791000-memory.dmp

Filesize
4KB

Download
memory/2296-36-0x0000000000000000-mapping.dmp

Download
memory/2296-74-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/2296-37-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download
memory/2296-38-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/2296-58-0x0000000009210000-0x0000000009243000-memory.dmp

Filesize
204KB

Download
memory/2296-42-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2296-54-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/2296-52-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/2324-32-0x0000000000000000-mapping.dmp

Download
memory/2872-25-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/2872-24-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2872-26-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2872-27-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/2872-23-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/2872-28-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2872-12-0x0000000000000000-mapping.dmp

Download
memory/2872-30-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/3292-4-0x0000000000000000-mapping.dmp

Download
memory/3824-11-0x0000000000000000-mapping.dmp

Download
memory/3988-34-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads