trickbot | edcb57b4cacec853469ec74863fed43262f50a5cd2b64f15e50326a6a032540d

General

Target

MRZhwo07xs.js
Size

56KB
MD5

e09a8411720fada28aa0a4ec1e78d7c8
SHA1

f0e5b9f692e2e40d1b0caf0b2126e8f1136cf56f
SHA256

edcb57b4cacec853469ec74863fed43262f50a5cd2b64f15e50326a6a032540d
SHA512

4bbad28c8b36f6a8b3ef308da3b2268e69716d6020ec4e3836b7e6a03a74db47762965b94c14093347a72ec5b47328baf8dcb52cb82f6ecdafaea050a29c8b49

Score

10^/10

trickbot rob35 banker spyware trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob35

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

wscript.execmd.exe

flow pid process

6 296 wscript.exe
7 328 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

405996.dat

pid process

1516 405996.dat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeDebugPrivilege 328 cmd.exe

flow	pid	process
6	296	wscript.exe
7	328	cmd.exe

pid	process
1516	405996.dat

description	pid	process
Token: SeDebugPrivilege	328	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.exe405996.dat

description	pid	process	target process
PID 296 wrote to memory of 1516	296	wscript.exe	405996.dat
PID 296 wrote to memory of 1516	296	wscript.exe	405996.dat
PID 296 wrote to memory of 1516	296	wscript.exe	405996.dat
PID 296 wrote to memory of 1516	296	wscript.exe	405996.dat
PID 1516 wrote to memory of 328	1516	405996.dat	cmd.exe
PID 1516 wrote to memory of 328	1516	405996.dat	cmd.exe
PID 1516 wrote to memory of 328	1516	405996.dat	cmd.exe
PID 1516 wrote to memory of 328	1516	405996.dat	cmd.exe
PID 1516 wrote to memory of 328	1516	405996.dat	cmd.exe
PID 1516 wrote to memory of 328	1516	405996.dat	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\MRZhwo07xs.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\405996.dat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\405996.dat
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\405996.dat
MD5
e6ad160ab47dc90d05577ff2d4ebcb86

SHA1
6b56dc6e5dd8588beb848038486357e9dfe9086d

SHA256
4cd0c1271aa09d8a1b5a5ce144fc6ef827bf89f5d451ebdc933a9f3502841aec

SHA512
d45c4e3e173d56122ba52eba9f59ae382f598659a51c03db9d89cf174da10cf885c1d1896759b3e5f3ee19ae9ac5e908b0196ad824bdb2bbdc8a3ee391b53e57

Download Submit
memory/296-5-0x00000000026A0000-0x00000000026A4000-memory.dmp

Filesize
16KB

Download
memory/328-6-0x0000000000000000-mapping.dmp

Download
memory/1516-3-0x0000000000000000-mapping.dmp

Download
memory/1972-2-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing