trickbot | 8f98d0e1c30fd1a365380df0aef7e89cd29ba92dc26bd1da389987616470862c

General

Target

3285d1f22eb3b7f6acbaf7528d71714d.exe
Size

668KB
MD5

3285d1f22eb3b7f6acbaf7528d71714d
SHA1

8582e7f4b931d9e40f5c237a8b8ffd98ce73cb5b
SHA256

8f98d0e1c30fd1a365380df0aef7e89cd29ba92dc26bd1da389987616470862c
SHA512

b7ab23844ee27c67fa89371b55c4e59367fffaad3880bd2f3b25982cb3ff0564d5b64e919ddb7fdac8d633108cdbb5d942c59759b9cc2104a4fdf21db3df1a36

Score

10^/10

trickbot mor9 banker spyware trojan

Malware Config

Extracted

Family

trickbot

Version

100009

Botnet

mor9

C2

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

33 1304 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
Drops file in System32 directory 1 IoCs

Processes:

wermgr.exe

description ioc process

File created C:\Windows\system32\cn\yccudwdst.txt wermgr.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1060 net.exe
1156 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1608 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cmd.execmd.exe

pid process

1624 cmd.exe
1624 cmd.exe
1304 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.execmd.exe

description pid process

Token: SeDebugPrivilege 1168 wermgr.exe
Token: SeDebugPrivilege 1624 cmd.exe

flow	pid	process
33	1304	cmd.exe

flow	ioc
10	api.ipify.org

description	ioc	process
File created	C:\Windows\system32\cn\yccudwdst.txt	wermgr.exe

pid	process
1060	net.exe
1156	net.exe

pid	process
1608	ipconfig.exe

pid	process
1624	cmd.exe
1624	cmd.exe
1304	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1168	wermgr.exe
Token: SeDebugPrivilege	1624	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

3285d1f22eb3b7f6acbaf7528d71714d.exe

pid	process
932	3285d1f22eb3b7f6acbaf7528d71714d.exe
932	3285d1f22eb3b7f6acbaf7528d71714d.exe
932	3285d1f22eb3b7f6acbaf7528d71714d.exe
932	3285d1f22eb3b7f6acbaf7528d71714d.exe

Suspicious use of WriteProcessMemory 848 IoCs

Processes:

3285d1f22eb3b7f6acbaf7528d71714d.exewermgr.exe

description	pid	process	target process
PID 932 wrote to memory of 1168	932	3285d1f22eb3b7f6acbaf7528d71714d.exe	wermgr.exe
PID 932 wrote to memory of 1168	932	3285d1f22eb3b7f6acbaf7528d71714d.exe	wermgr.exe
PID 932 wrote to memory of 1168	932	3285d1f22eb3b7f6acbaf7528d71714d.exe	wermgr.exe
PID 932 wrote to memory of 1168	932	3285d1f22eb3b7f6acbaf7528d71714d.exe	wermgr.exe
PID 932 wrote to memory of 1168	932	3285d1f22eb3b7f6acbaf7528d71714d.exe	wermgr.exe
PID 932 wrote to memory of 1168	932	3285d1f22eb3b7f6acbaf7528d71714d.exe	wermgr.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe
PID 1168 wrote to memory of 1624	1168	wermgr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3285d1f22eb3b7f6acbaf7528d71714d.exe
"C:\Users\Admin\AppData\Local\Temp\3285d1f22eb3b7f6acbaf7528d71714d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:1608

C:\Windows\system32\net.exe
net config workstation
4⤵
PID:1676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
5⤵
PID:1396

C:\Windows\system32\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:1060

C:\Windows\system32\net.exe
net view /all /domain
4⤵
- Discovers systems in the same network
PID:1156

C:\Windows\system32\nltest.exe
nltest /domain_trusts
4⤵
PID:1016

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-2-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/932-3-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/1016-36-0x0000000000000000-mapping.dmp

Download
memory/1060-34-0x0000000000000000-mapping.dmp

Download
memory/1156-35-0x0000000000000000-mapping.dmp

Download
memory/1168-4-0x0000000000000000-mapping.dmp

Download
memory/1304-17-0x0000000000000000-mapping.dmp

Download
memory/1396-33-0x0000000000000000-mapping.dmp

Download
memory/1608-31-0x0000000000000000-mapping.dmp

Download
memory/1624-5-0x0000000000000000-mapping.dmp

Download
memory/1628-37-0x0000000000000000-mapping.dmp

Download
memory/1676-32-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing