trickbot | d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
21-01-2021 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe
Size

1.3MB
MD5

b9ab9ac3b5335fdca292acb7ca85eb14
SHA1

26847a08f6e0504aff926b6278b2b8efdc90036a
SHA256

d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
SHA512

b0ed0d2a1291dc20a4a8b080c95fcdd34413cce70e95ea554675fb57a327e9b33cb79844278eb3d32398d2d2457e409ca4736ef2c24633ed8306809df7d197b1

Score

10^/10

trickbot rob1 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

rob1

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 3 IoCs

Processes:

Tua.comTua.comTua.com

pid process

1092 Tua.com
340 Tua.com
760 Tua.com
Loads dropped DLL 3 IoCs

Processes:

cmd.exeTua.comTua.com

pid process

1836 cmd.exe
1092 Tua.com
340 Tua.com

pid	process
1092	Tua.com
340	Tua.com
760	Tua.com

pid	process
1836	cmd.exe
1092	Tua.com
340	Tua.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip.anysrc.net
Suspicious use of SetThreadContext 1 IoCs

Processes:

Tua.com

description pid process target process

PID 340 set thread context of 760 340 Tua.com Tua.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

332 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 952 wermgr.exe

flow	ioc
7	ip.anysrc.net

description	pid	process	target process
PID 340 set thread context of 760	340	Tua.com	Tua.com

pid	process
332	PING.EXE

description	pid	process
Token: SeDebugPrivilege	952	wermgr.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.execmd.execmd.exeTua.comTua.comTua.com

description	pid	process	target process
PID 1740 wrote to memory of 1424	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1424	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1424	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1424	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1244	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1244	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1244	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1740 wrote to memory of 1244	1740	d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe	cmd.exe
PID 1244 wrote to memory of 1540	1244	cmd.exe	certutil.exe
PID 1244 wrote to memory of 1540	1244	cmd.exe	certutil.exe
PID 1244 wrote to memory of 1540	1244	cmd.exe	certutil.exe
PID 1244 wrote to memory of 1540	1244	cmd.exe	certutil.exe
PID 1244 wrote to memory of 1836	1244	cmd.exe	cmd.exe
PID 1244 wrote to memory of 1836	1244	cmd.exe	cmd.exe
PID 1244 wrote to memory of 1836	1244	cmd.exe	cmd.exe
PID 1244 wrote to memory of 1836	1244	cmd.exe	cmd.exe
PID 1836 wrote to memory of 1156	1836	cmd.exe	findstr.exe
PID 1836 wrote to memory of 1156	1836	cmd.exe	findstr.exe
PID 1836 wrote to memory of 1156	1836	cmd.exe	findstr.exe
PID 1836 wrote to memory of 1156	1836	cmd.exe	findstr.exe
PID 1836 wrote to memory of 1088	1836	cmd.exe	certutil.exe
PID 1836 wrote to memory of 1088	1836	cmd.exe	certutil.exe
PID 1836 wrote to memory of 1088	1836	cmd.exe	certutil.exe
PID 1836 wrote to memory of 1088	1836	cmd.exe	certutil.exe
PID 1836 wrote to memory of 1092	1836	cmd.exe	Tua.com
PID 1836 wrote to memory of 1092	1836	cmd.exe	Tua.com
PID 1836 wrote to memory of 1092	1836	cmd.exe	Tua.com
PID 1836 wrote to memory of 1092	1836	cmd.exe	Tua.com
PID 1836 wrote to memory of 332	1836	cmd.exe	PING.EXE
PID 1836 wrote to memory of 332	1836	cmd.exe	PING.EXE
PID 1836 wrote to memory of 332	1836	cmd.exe	PING.EXE
PID 1836 wrote to memory of 332	1836	cmd.exe	PING.EXE
PID 1092 wrote to memory of 340	1092	Tua.com	Tua.com
PID 1092 wrote to memory of 340	1092	Tua.com	Tua.com
PID 1092 wrote to memory of 340	1092	Tua.com	Tua.com
PID 1092 wrote to memory of 340	1092	Tua.com	Tua.com
PID 340 wrote to memory of 760	340	Tua.com	Tua.com
PID 340 wrote to memory of 760	340	Tua.com	Tua.com
PID 340 wrote to memory of 760	340	Tua.com	Tua.com
PID 340 wrote to memory of 760	340	Tua.com	Tua.com
PID 340 wrote to memory of 760	340	Tua.com	Tua.com
PID 340 wrote to memory of 760	340	Tua.com	Tua.com
PID 760 wrote to memory of 1020	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 1020	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 1020	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 1020	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 952	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 952	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 952	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 952	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 952	760	Tua.com	wermgr.exe
PID 760 wrote to memory of 952	760	Tua.com	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe
"C:\Users\Admin\AppData\Local\Temp\d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c fhlfszSNj
2⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Brucia.xls Suo.dot & cmd < Suo.dot
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\certutil.exe
certutil -decode Brucia.xls Suo.dot
3⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^lJeUmwiXzEXbPwzCIHvkQFe$" Estremita.adt
4⤵
PID:1156

C:\Windows\SysWOW64\certutil.exe
certutil -decode Ore.ini Z
4⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
Tua.com Z
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com Z
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
7⤵
PID:1020

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Appare.sys
MD5
f24168a8978d6f37d25752f05efdf8c2

SHA1
f0680ec42311212cef68370a83f4d62c7966099e

SHA256
08459331eceb39b60a5b166ee3322767c157292dc108df54933227c6bd500b28

SHA512
1d95ceeb4f861eb36b23145dc39db42bd8960f721dc6632428e2243446c1e7b02a39488c30ecaf28757b857ef78cf842ec99e11fa00380b766126fdf6134c724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brucia.xls
MD5
82d90d91a120a19919dbc524880a2eae

SHA1
b86fb4b724d11d5c412e04251e0cd830755ef007

SHA256
875a4cdc9fbd55810dd252f8e35512fffb892a79e517411d1fcbd917685efc8a

SHA512
1dba871074f97c68fe0c49bab166f801bcfad153be12e346f9baf39b9b1642d2db4b6255da5153ebf2994ba4c7d722011b98c4b053ece8313102995fa4e16440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Estremita.adt
MD5
8253b4f0646e3c127d146110f889215e

SHA1
64a92b27c3762f2b0bc6af67c1de6e006c1b820d

SHA256
08607493aab770b45ffdb7ffe5c1f3a5e5fdba0b55d03251f7117ee10f4d67ad

SHA512
b6013ef36f296c50ab1a1b15b27fc8b5ba840d66279fcf5eab396c1fc5058760c6f08626a1119790bccd794fad1e2eb7cb764245408ade1838926a0e4e3d5f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.ini
MD5
6c2dfee26bbca7045c465d9c0414b652

SHA1
58ed46c2dc00097521d0db0819541d9e4909deb8

SHA256
eeb47e521e0facfb217aef0e9c1cb57e147340b8e1c3d8e4acdff3e04dad2eef

SHA512
8ddc4974e35b2fdf35556b28e4c49f3290308f537ce0f50ee6ddcd466abc8a1908c28905ac07a721f0b75f514a1b503c4464267e7bc51107a459f46c4ee93ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suo.dot
MD5
9d88809cceb6dab6ed296d8bef0dc0d5

SHA1
a31e613888ca0cb3fd77d208c8621c05d2828ab9

SHA256
74e36bf70290030e791e981aca49b1cc3e4e96aa12949add2d254cad3a095d37

SHA512
84efe76ccc711af625a5f6a8fd3fb92dffda62b554f44df9ff9b65152a461f1c54659dca68debef324512d97d32b677e3fe6b6210f4bbec25a1cec02c657ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z
MD5
89fbfd3b8f82003de0ced3fd68406bdd

SHA1
57b2cc29133732e93ed2cf3853476dfecc8d007c

SHA256
f091e7d727e58c93bdb06ffceca3ee720a29768ff9b175c35a978f68777d5388

SHA512
8aa61d225a338733fa81f7abd5c288ff14a02669393c8a2f369712da614ff582d4144c6920bb36b13a64de583918f7c5524f8f2d738291dcf1ca8c43df98beb3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/332-18-0x0000000000000000-mapping.dmp

Download
memory/340-27-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/340-22-0x0000000000000000-mapping.dmp

Download
memory/760-33-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/760-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-32-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/952-36-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/952-35-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/952-34-0x0000000000000000-mapping.dmp

Download
memory/1088-11-0x0000000000000000-mapping.dmp

Download
memory/1092-15-0x0000000000000000-mapping.dmp

Download
memory/1156-9-0x0000000000000000-mapping.dmp

Download
memory/1244-3-0x0000000000000000-mapping.dmp

Download
memory/1424-2-0x0000000000000000-mapping.dmp

Download
memory/1540-5-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1540-4-0x0000000000000000-mapping.dmp

Download
memory/1836-8-0x0000000000000000-mapping.dmp

Download