trickbot | 843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6

General

Target

file5.pellet.exe
Size

369KB
MD5

9ec3a085d785f3d8091fa3435a1b9584
SHA1

1605367d4b3157f29679cd7c045d8a6df2db5c5d
SHA256

843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6
SHA512

de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca

Score

10^/10

trickbot sat97 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000296

Botnet

sat97

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

66.38.80.188:449

24.119.69.70:449

192.3.130.29:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

file6.pellet.exe

pid process

764 file6.pellet.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489
Loads dropped DLL 2 IoCs

Processes:

file5.pellet.exe

pid process

292 file5.pellet.exe
292 file5.pellet.exe

pid	process
764	file6.pellet.exe

pid	process
292	file5.pellet.exe
292	file5.pellet.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

file5.pellet.exepowershell.exe

pid process

292 file5.pellet.exe
292 file5.pellet.exe
292 file5.pellet.exe
964 powershell.exe
964 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 964 powershell.exe

pid	process
292	file5.pellet.exe
292	file5.pellet.exe
292	file5.pellet.exe
964	powershell.exe
964	powershell.exe

description	pid	process
Token: SeDebugPrivilege	964	powershell.exe

Suspicious use of WriteProcessMemory 692 IoCs

Processes:

file5.pellet.execmd.execmd.execmd.exefile6.pellet.exe

description	pid	process	target process
PID 292 wrote to memory of 1232	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1232	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1232	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1232	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1212	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1212	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1212	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1212	292	file5.pellet.exe	cmd.exe
PID 1212 wrote to memory of 1536	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1536	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1536	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1536	1212	cmd.exe	sc.exe
PID 1232 wrote to memory of 1680	1232	cmd.exe	sc.exe
PID 1232 wrote to memory of 1680	1232	cmd.exe	sc.exe
PID 1232 wrote to memory of 1680	1232	cmd.exe	sc.exe
PID 1232 wrote to memory of 1680	1232	cmd.exe	sc.exe
PID 292 wrote to memory of 1512	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1512	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1512	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 1512	292	file5.pellet.exe	cmd.exe
PID 292 wrote to memory of 764	292	file5.pellet.exe	file6.pellet.exe
PID 292 wrote to memory of 764	292	file5.pellet.exe	file6.pellet.exe
PID 292 wrote to memory of 764	292	file5.pellet.exe	file6.pellet.exe
PID 292 wrote to memory of 764	292	file5.pellet.exe	file6.pellet.exe
PID 1512 wrote to memory of 964	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 964	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 964	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 964	1512	cmd.exe	powershell.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe
PID 764 wrote to memory of 1620	764	file6.pellet.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file5.pellet.exe
"C:\Users\Admin\AppData\Local\Temp\file5.pellet.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe
C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1620

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

1

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe
MD5
9ec3a085d785f3d8091fa3435a1b9584

SHA1
1605367d4b3157f29679cd7c045d8a6df2db5c5d

SHA256
843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6

SHA512
de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca

Download Submit
\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe
MD5
9ec3a085d785f3d8091fa3435a1b9584

SHA1
1605367d4b3157f29679cd7c045d8a6df2db5c5d

SHA256
843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6

SHA512
de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca

Download Submit
\Users\Admin\AppData\Roaming\WINYS\file6.pellet.exe
MD5
9ec3a085d785f3d8091fa3435a1b9584

SHA1
1605367d4b3157f29679cd7c045d8a6df2db5c5d

SHA256
843fae67108c2580a4590e41d5986191a71fb959959e1b1d40cfab672e15cab6

SHA512
de63061d70d284acf33123fb5b2ba87ba61f9af9192f0534b497f22df1083f167b62f83616b0fd83bbf9f4cf871ea215b82324d23567af097bbf573049be0aca

Download Submit
memory/292-2-0x0000000002150000-0x0000000002161000-memory.dmp

Filesize
68KB

Download
memory/292-3-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/292-4-0x0000000002420000-0x0000000002431000-memory.dmp

Filesize
68KB

Download
memory/292-6-0x0000000002420000-0x0000000002431000-memory.dmp

Filesize
68KB

Download
memory/292-5-0x0000000002830000-0x0000000002841000-memory.dmp

Filesize
68KB

Download
memory/292-10-0x0000000002420000-0x0000000002431000-memory.dmp

Filesize
68KB

Download
memory/764-15-0x0000000000000000-mapping.dmp

Download
memory/964-25-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/964-21-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/964-54-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/964-53-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/964-39-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/964-17-0x0000000000000000-mapping.dmp

Download
memory/964-18-0x00000000743E0000-0x0000000074ACE000-memory.dmp

Filesize
6.9MB

Download
memory/964-19-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/964-20-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/964-38-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/964-22-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/964-31-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/964-30-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1212-1-0x0000000000000000-mapping.dmp

Download
memory/1232-0-0x0000000000000000-mapping.dmp

Download
memory/1512-11-0x0000000000000000-mapping.dmp

Download
memory/1536-8-0x0000000000000000-mapping.dmp

Download
memory/1620-55-0x0000000000000000-mapping.dmp

Download
memory/1620-56-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/1680-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing