trickbot | b6af20ac6ddedad4f914bcb11c08e5399a4aadade16365bae3a5cb1611371e89

General

Target

b5ef0dd86a3fb068a1eef951a9e9bcd1.exe
Size

630KB
MD5

b5ef0dd86a3fb068a1eef951a9e9bcd1
SHA1

098e8b092629f8b1ab59d20b4ebbe39725b2064b
SHA256

b6af20ac6ddedad4f914bcb11c08e5399a4aadade16365bae3a5cb1611371e89
SHA512

45b1477ba4900eaae9731a5f182ff566ba1b9c023db5a0a251779956ea6c2167a4175c182d977b210ec056233237c31981a32593e089ac97418d656678e8fb73

Score

10^/10

trickbot rob38 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob38

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.amazonaws.com
Drops file in System32 directory 1 IoCs

Processes:

wermgr.exe

description ioc process

File created C:\Windows\system32\cn\lumhavkma.txt wermgr.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1000 net.exe
1892 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1804 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exesvchost.exe

pid process

844 svchost.exe
844 svchost.exe
1216 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1212 wermgr.exe
Token: SeDebugPrivilege 844 svchost.exe

flow	ioc
10	checkip.amazonaws.com

description	ioc	process
File created	C:\Windows\system32\cn\lumhavkma.txt	wermgr.exe

pid	process
1000	net.exe
1892	net.exe

pid	process
1804	ipconfig.exe

pid	process
844	svchost.exe
844	svchost.exe
1216	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1212	wermgr.exe
Token: SeDebugPrivilege	844	svchost.exe

Suspicious use of WriteProcessMemory 852 IoCs

Processes:

b5ef0dd86a3fb068a1eef951a9e9bcd1.exewermgr.exe

description	pid	process	target process
PID 744 wrote to memory of 1372	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1372	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1372	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1372	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1212	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1212	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1212	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1212	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1212	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 744 wrote to memory of 1212	744	b5ef0dd86a3fb068a1eef951a9e9bcd1.exe	wermgr.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe
PID 1212 wrote to memory of 844	1212	wermgr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b5ef0dd86a3fb068a1eef951a9e9bcd1.exe
"C:\Users\Admin\AppData\Local\Temp\b5ef0dd86a3fb068a1eef951a9e9bcd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
PID:1372

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:1804

C:\Windows\system32\net.exe
net config workstation
4⤵
PID:1996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
5⤵
PID:1488

C:\Windows\system32\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:1892

C:\Windows\system32\net.exe
net view /all /domain
4⤵
- Discovers systems in the same network
PID:1000

C:\Windows\system32\nltest.exe
nltest /domain_trusts
4⤵
PID:2024

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
4⤵
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-2-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/744-3-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/744-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/744-6-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/844-10-0x0000000000000000-mapping.dmp

Download
memory/844-12-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1000-20-0x0000000000000000-mapping.dmp

Download
memory/1212-8-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1212-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000000000000-mapping.dmp

Download
memory/1216-13-0x0000000000000000-mapping.dmp

Download
memory/1488-18-0x0000000000000000-mapping.dmp

Download
memory/1600-22-0x0000000000000000-mapping.dmp

Download
memory/1804-16-0x0000000000000000-mapping.dmp

Download
memory/1892-19-0x0000000000000000-mapping.dmp

Download
memory/1996-17-0x0000000000000000-mapping.dmp

Download
memory/2024-21-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing