trickbot | 91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

General

Target

4c765049f292cb94f47f91dbe243d4b2.exe
Size

912KB
MD5

4c765049f292cb94f47f91dbe243d4b2
SHA1

610911bf779ba590ad382be6f8ed799171d12f50
SHA256

91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be
SHA512

d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Score

10^/10

trickbot tot39 banker spyware trojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

cmd.execmd.exe

flow pid process

21 1752 cmd.exe
22 1888 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

4c765049f292cb94f47f91dbe243d4b2.exe

pid process

1672 4c765049f292cb94f47f91dbe243d4b2.exe
Loads dropped DLL 2 IoCs

Processes:

4c765049f292cb94f47f91dbe243d4b2.exe

pid process

1812 4c765049f292cb94f47f91dbe243d4b2.exe
1812 4c765049f292cb94f47f91dbe243d4b2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipecho.net

flow	pid	process
21	1752	cmd.exe
22	1888	cmd.exe

pid	process
1672	4c765049f292cb94f47f91dbe243d4b2.exe

flow	ioc
8	ipecho.net

Drops file in Program Files directory 4 IoCs

Processes:

4c765049f292cb94f47f91dbe243d4b2.exewermgr.exe

description	ioc	process
File created	C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe	4c765049f292cb94f47f91dbe243d4b2.exe
File opened for modification	C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe	4c765049f292cb94f47f91dbe243d4b2.exe
File created	C:\Program Files (x86)\DinoComp\AlternateServices.txt	wermgr.exe
File created	C:\Program Files (x86)\DinoComp\cn\quvibqes.txt	wermgr.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1132 net.exe
1832 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1516 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cmd.execmd.exe

pid process

620 cmd.exe
1752 cmd.exe
620 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.execmd.exe

description pid process

Token: SeDebugPrivilege 1224 wermgr.exe
Token: SeDebugPrivilege 620 cmd.exe

pid	process
1132	net.exe
1832	net.exe

pid	process
1516	ipconfig.exe

pid	process
620	cmd.exe
1752	cmd.exe
620	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1224	wermgr.exe
Token: SeDebugPrivilege	620	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4c765049f292cb94f47f91dbe243d4b2.exe4c765049f292cb94f47f91dbe243d4b2.exe

pid	process
1812	4c765049f292cb94f47f91dbe243d4b2.exe
1812	4c765049f292cb94f47f91dbe243d4b2.exe
1672	4c765049f292cb94f47f91dbe243d4b2.exe
1672	4c765049f292cb94f47f91dbe243d4b2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c765049f292cb94f47f91dbe243d4b2.exe4c765049f292cb94f47f91dbe243d4b2.exewermgr.exe

description	pid	process	target process
PID 1812 wrote to memory of 1672	1812	4c765049f292cb94f47f91dbe243d4b2.exe	4c765049f292cb94f47f91dbe243d4b2.exe
PID 1812 wrote to memory of 1672	1812	4c765049f292cb94f47f91dbe243d4b2.exe	4c765049f292cb94f47f91dbe243d4b2.exe
PID 1812 wrote to memory of 1672	1812	4c765049f292cb94f47f91dbe243d4b2.exe	4c765049f292cb94f47f91dbe243d4b2.exe
PID 1812 wrote to memory of 1672	1812	4c765049f292cb94f47f91dbe243d4b2.exe	4c765049f292cb94f47f91dbe243d4b2.exe
PID 1672 wrote to memory of 1516	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1516	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1516	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1516	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1224	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1224	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1224	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1224	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1224	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1672 wrote to memory of 1224	1672	4c765049f292cb94f47f91dbe243d4b2.exe	wermgr.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe
PID 1224 wrote to memory of 620	1224	wermgr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe
"C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
"C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
PID:1516

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1516

C:\Windows\system32\net.exe
net config workstation
5⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
6⤵
PID:944

C:\Windows\system32\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:1132

C:\Windows\system32\net.exe
net view /all /domain
5⤵
- Discovers systems in the same network
PID:1832

C:\Windows\system32\nltest.exe
nltest /domain_trusts
5⤵
PID:2008

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
5⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
4⤵
- Blocklisted process makes network request
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe

MD5
4c765049f292cb94f47f91dbe243d4b2

SHA1
610911bf779ba590ad382be6f8ed799171d12f50

SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-293278959-2699126792-324916226-1000\0f5007522459c86e95ffcc62f32308f1_d7dae845-49c4-4af3-a732-9d0f27f7ccd4

MD5
c80f81514e220ac536fcc291316dd4cc

SHA1
721dfc33e4d90dff458712d3fd33a82460dd0299

SHA256
8f5462810ba508ce188a4eced4f09a08ccc770f4c610d36a94cf5dde0881aab5

SHA512
63c31bce88a70fb6ec693ba4c5423e9277eb536d5fb1c23047908e6f4f43770ac951c992320089ea3c030e2f7083eb64ab5f291538f5da072b998ce419353364

Download Submit
\??\PIPE\NETLOGON

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe

MD5
4c765049f292cb94f47f91dbe243d4b2

SHA1
610911bf779ba590ad382be6f8ed799171d12f50

SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Download Submit
\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe

MD5
4c765049f292cb94f47f91dbe243d4b2

SHA1
610911bf779ba590ad382be6f8ed799171d12f50

SHA256
91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

SHA512
d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Download Submit
memory/620-20-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/620-18-0x0000000000000000-mapping.dmp

Download
memory/900-25-0x0000000000000000-mapping.dmp

Download
memory/944-26-0x0000000000000000-mapping.dmp

Download
memory/1132-27-0x0000000000000000-mapping.dmp

Download
memory/1224-16-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/1224-17-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1224-15-0x0000000000000000-mapping.dmp

Download
memory/1436-30-0x0000000000000000-mapping.dmp

Download
memory/1516-24-0x0000000000000000-mapping.dmp

Download
memory/1672-7-0x0000000000000000-mapping.dmp

Download
memory/1672-14-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1672-13-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1672-11-0x0000000002100000-0x0000000002138000-memory.dmp

Filesize
224KB

Download
memory/1752-21-0x0000000000000000-mapping.dmp

Download
memory/1812-4-0x0000000003070000-0x00000000030A6000-memory.dmp

Filesize
216KB

Download
memory/1812-2-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1812-3-0x00000000030B0000-0x00000000030E8000-memory.dmp

Filesize
224KB

Download
memory/1832-28-0x0000000000000000-mapping.dmp

Download
memory/1888-32-0x0000000000000000-mapping.dmp

Download
memory/2008-29-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads