trickbot | 0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277

General

Target

a784f1a3c6d9391c65ffba7818168e25.dll
Size

520KB
MD5

a784f1a3c6d9391c65ffba7818168e25
SHA1

f050b4bc1e583400fd687eb174770692753d1700
SHA256

0cea65ac6779cc107ee1f79ca5c7d70c8bd5027e02e567b7c597485ad175d277
SHA512

9927aa957101a024794d0c61ba7924ad0e2b34f8f4d5c28eac5ef9547605f816af21bb01cfc100dfd6bed3440b013ad27c16801aaf7e4fbe01da5333186220f1

Score

10^/10

trickbot rob133 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob133

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Trickbot Checkin Response
suricata: ET MALWARE Trickbot Checkin Response
suricata
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 checkip.amazonaws.com
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

568 net.exe
1464 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3324 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

3972 svchost.exe
3972 svchost.exe
3668 svchost.exe
3668 svchost.exe
2124 svchost.exe
2124 svchost.exe
3668 svchost.exe
3668 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 316 wermgr.exe
Token: SeDebugPrivilege 3972 svchost.exe
Token: SeDebugPrivilege 3668 svchost.exe

flow	ioc
32	checkip.amazonaws.com

pid	process
568	net.exe
1464	net.exe

pid	process
3324	ipconfig.exe

pid	process
3972	svchost.exe
3972	svchost.exe
3668	svchost.exe
3668	svchost.exe
2124	svchost.exe
2124	svchost.exe
3668	svchost.exe
3668	svchost.exe

description	pid	process
Token: SeDebugPrivilege	316	wermgr.exe
Token: SeDebugPrivilege	3972	svchost.exe
Token: SeDebugPrivilege	3668	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 2752 wrote to memory of 2740	2752	rundll32.exe	rundll32.exe
PID 2752 wrote to memory of 2740	2752	rundll32.exe	rundll32.exe
PID 2752 wrote to memory of 2740	2752	rundll32.exe	rundll32.exe
PID 2740 wrote to memory of 3848	2740	rundll32.exe	cmd.exe
PID 2740 wrote to memory of 3848	2740	rundll32.exe	cmd.exe
PID 2740 wrote to memory of 3848	2740	rundll32.exe	cmd.exe
PID 2740 wrote to memory of 316	2740	rundll32.exe	wermgr.exe
PID 2740 wrote to memory of 316	2740	rundll32.exe	wermgr.exe
PID 2740 wrote to memory of 316	2740	rundll32.exe	wermgr.exe
PID 2740 wrote to memory of 316	2740	rundll32.exe	wermgr.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe
PID 316 wrote to memory of 3972	316	wermgr.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a784f1a3c6d9391c65ffba7818168e25.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a784f1a3c6d9391c65ffba7818168e25.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:3848

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Windows\system32\cmd.exe
/c ipconfig /all
5⤵
PID:3784

C:\Windows\system32\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:3324

C:\Windows\system32\cmd.exe
/c net config workstation
5⤵
PID:3204

C:\Windows\system32\net.exe
net config workstation
6⤵
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
7⤵
PID:3064

C:\Windows\system32\cmd.exe
/c net view /all
5⤵
PID:2752

C:\Windows\system32\net.exe
net view /all
6⤵
- Discovers systems in the same network
PID:568

C:\Windows\system32\cmd.exe
/c net view /all /domain
5⤵
PID:3788

C:\Windows\system32\net.exe
net view /all /domain
6⤵
- Discovers systems in the same network
PID:1464

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
5⤵
PID:2768

C:\Windows\system32\nltest.exe
nltest /domain_trusts
6⤵
PID:2284

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
5⤵
PID:2248

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
6⤵
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-127-0x0000000000000000-mapping.dmp

Download
memory/316-128-0x000001BF19450000-0x000001BF19478000-memory.dmp

Filesize
160KB

Download
memory/316-129-0x000001BF19660000-0x000001BF19661000-memory.dmp

Filesize
4KB

Download
memory/568-155-0x0000000000000000-mapping.dmp

Download
memory/872-161-0x0000000000000000-mapping.dmp

Download
memory/1464-157-0x0000000000000000-mapping.dmp

Download
memory/1716-152-0x0000000000000000-mapping.dmp

Download
memory/2124-145-0x0000000000000000-mapping.dmp

Download
memory/2124-146-0x0000000180000000-0x000000018000A000-memory.dmp

Filesize
40KB

Download
memory/2248-160-0x0000000000000000-mapping.dmp

Download
memory/2284-159-0x0000000000000000-mapping.dmp

Download
memory/2740-126-0x00000000029F1000-0x00000000029F3000-memory.dmp

Filesize
8KB

Download
memory/2740-116-0x0000000002C80000-0x0000000002CBB000-memory.dmp

Filesize
236KB

Download
memory/2740-119-0x0000000002F80000-0x0000000002FB9000-memory.dmp

Filesize
228KB

Download
memory/2740-115-0x0000000000000000-mapping.dmp

Download
memory/2740-121-0x00000000046C0000-0x00000000046F8000-memory.dmp

Filesize
224KB

Download
memory/2740-124-0x0000000004720000-0x0000000004764000-memory.dmp

Filesize
272KB

Download
memory/2740-125-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/2740-123-0x0000000002870000-0x00000000029BA000-memory.dmp

Filesize
1.3MB

Download
memory/2752-154-0x0000000000000000-mapping.dmp

Download
memory/2768-158-0x0000000000000000-mapping.dmp

Download
memory/3064-153-0x0000000000000000-mapping.dmp

Download
memory/3204-151-0x0000000000000000-mapping.dmp

Download
memory/3324-150-0x0000000000000000-mapping.dmp

Download
memory/3668-139-0x0000000000000000-mapping.dmp

Download
memory/3784-149-0x0000000000000000-mapping.dmp

Download
memory/3788-156-0x0000000000000000-mapping.dmp

Download
memory/3972-138-0x000001BF54410000-0x000001BF54411000-memory.dmp

Filesize
4KB

Download
memory/3972-132-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing