trickbot | 8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3

General

Target

8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe
Size

860KB
MD5

0ab7a7fb149baba9474e3f19809a631a
SHA1

d2988c86826ee3701e3e6deb1f8b8cdfd6493d28
SHA256

8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3
SHA512

d265a3f6e4bb7889f79a3da89a63023be1527b5a3dd6475daea755df7bad27c513de902d4358c355526ff719df0a30506446aa81226f68c3766d4a5421e04665

Score

10^/10

trickbot tot101 banker spyware stealer suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

tot101

C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Trickbot Checkin Response
suricata: ET MALWARE Trickbot Checkin Response
suricata
suricata: ET MALWARE Win32/Trickbot Data Exfiltration
suricata: ET MALWARE Win32/Trickbot Data Exfiltration
suricata
Blocklisted process makes network request 3 IoCs

Processes:

cmd.exe

flow pid process

41 2872 cmd.exe
42 2872 cmd.exe
43 2872 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 checkip.amazonaws.com
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

212 net.exe
728 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1144 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

2220 cmd.exe
2220 cmd.exe
904 cmd.exe
904 cmd.exe
2872 cmd.exe
2872 cmd.exe
904 cmd.exe
904 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.execmd.execmd.exe

description pid process

Token: SeDebugPrivilege 3676 wermgr.exe
Token: SeDebugPrivilege 2220 cmd.exe
Token: SeDebugPrivilege 904 cmd.exe

flow	pid	process
41	2872	cmd.exe
42	2872	cmd.exe
43	2872	cmd.exe

flow	ioc
23	checkip.amazonaws.com

pid	process
212	net.exe
728	net.exe

pid	process
1144	ipconfig.exe

pid	process
2220	cmd.exe
2220	cmd.exe
904	cmd.exe
904	cmd.exe
2872	cmd.exe
2872	cmd.exe
904	cmd.exe
904	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3676	wermgr.exe
Token: SeDebugPrivilege	2220	cmd.exe
Token: SeDebugPrivilege	904	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe

pid	process
992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe
992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exewermgr.exe

description	pid	process	target process
PID 992 wrote to memory of 3996	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	cmd.exe
PID 992 wrote to memory of 3996	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	cmd.exe
PID 992 wrote to memory of 3928	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	cmd.exe
PID 992 wrote to memory of 3928	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	cmd.exe
PID 992 wrote to memory of 3676	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	wermgr.exe
PID 992 wrote to memory of 3676	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	wermgr.exe
PID 992 wrote to memory of 3676	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	wermgr.exe
PID 992 wrote to memory of 3676	992	8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe	wermgr.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe
PID 3676 wrote to memory of 2220	3676	wermgr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe
"C:\Users\Admin\AppData\Local\Temp\8ec99d6d2935a9d4bb4ffb425373cd175d116bc3297eeb2913de5d0b5194d3d3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:3928

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Windows\system32\cmd.exe
/c ipconfig /all
4⤵
PID:1496

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1144

C:\Windows\system32\cmd.exe
/c net config workstation
4⤵
PID:2184

C:\Windows\system32\net.exe
net config workstation
5⤵
PID:2140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
6⤵
PID:996

C:\Windows\system32\cmd.exe
/c net view /all
4⤵
PID:192

C:\Windows\system32\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:212

C:\Windows\system32\cmd.exe
/c net view /all /domain
4⤵
PID:496

C:\Windows\system32\net.exe
net view /all /domain
5⤵
- Discovers systems in the same network
PID:728

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
4⤵
PID:3712

C:\Windows\system32\nltest.exe
nltest /domain_trusts
5⤵
PID:3468

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
4⤵
PID:632

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
5⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/192-148-0x0000000000000000-mapping.dmp

Download
memory/212-149-0x0000000000000000-mapping.dmp

Download
memory/496-150-0x0000000000000000-mapping.dmp

Download
memory/632-154-0x0000000000000000-mapping.dmp

Download
memory/728-151-0x0000000000000000-mapping.dmp

Download
memory/904-133-0x0000000000000000-mapping.dmp

Download
memory/992-114-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/992-119-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/992-120-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/992-117-0x0000000002230000-0x000000000226D000-memory.dmp

Filesize
244KB

Download
memory/992-118-0x0000000002560000-0x000000000259B000-memory.dmp

Filesize
236KB

Download
memory/996-147-0x0000000000000000-mapping.dmp

Download
memory/1144-144-0x0000000000000000-mapping.dmp

Download
memory/1328-155-0x0000000000000000-mapping.dmp

Download
memory/1496-143-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000000000000-mapping.dmp

Download
memory/2184-145-0x0000000000000000-mapping.dmp

Download
memory/2220-126-0x0000000000000000-mapping.dmp

Download
memory/2220-132-0x000002A3664E0000-0x000002A3664E1000-memory.dmp

Filesize
4KB

Download
memory/2872-140-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/2872-139-0x0000000000000000-mapping.dmp

Download
memory/3468-153-0x0000000000000000-mapping.dmp

Download
memory/3676-123-0x000002780B260000-0x000002780B261000-memory.dmp

Filesize
4KB

Download
memory/3676-122-0x000002780B150000-0x000002780B179000-memory.dmp

Filesize
164KB

Download
memory/3676-121-0x0000000000000000-mapping.dmp

Download
memory/3712-152-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing