trickbot | 1ea718dbbd43c2c38ac983783b74997feab9cf776294398218e49778d5a0983b

General

Target

fba1a412ee72b3eb54c0cbf7e7bf675a.exe
Size

360KB
MD5

fba1a412ee72b3eb54c0cbf7e7bf675a
SHA1

4497d5fcb93326ec5dc2f516d222b9bb4ff62c11
SHA256

1ea718dbbd43c2c38ac983783b74997feab9cf776294398218e49778d5a0983b
SHA512

49b163fd58d3b414a6eeb4be4fb05ed09e6cfdbd929e63e26064d7f9b39d4831f8df6e1a044721ea6622d0fc8a7b3b9c9c4f028de7d466e3ab3cdccfe1d812db

Score

10^/10

trickbot tot152 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot152

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 ident.me
49 ident.me
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

3728 net.exe
3164 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

744 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

4068 svchost.exe
4068 svchost.exe
1268 svchost.exe
1268 svchost.exe
636 svchost.exe
636 svchost.exe
1268 svchost.exe
1268 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1764 wermgr.exe
Token: SeDebugPrivilege 4068 svchost.exe
Token: SeDebugPrivilege 1268 svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fba1a412ee72b3eb54c0cbf7e7bf675a.exe

pid process

1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe
1644 fba1a412ee72b3eb54c0cbf7e7bf675a.exe

flow	ioc
48	ident.me
49	ident.me

pid	process
3728	net.exe
3164	net.exe

pid	process
744	ipconfig.exe

pid	process
4068	svchost.exe
4068	svchost.exe
1268	svchost.exe
1268	svchost.exe
636	svchost.exe
636	svchost.exe
1268	svchost.exe
1268	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1764	wermgr.exe
Token: SeDebugPrivilege	4068	svchost.exe
Token: SeDebugPrivilege	1268	svchost.exe

pid	process
1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe
1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fba1a412ee72b3eb54c0cbf7e7bf675a.exewermgr.exe

description	pid	process	target process
PID 1644 wrote to memory of 1764	1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe	wermgr.exe
PID 1644 wrote to memory of 1764	1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe	wermgr.exe
PID 1644 wrote to memory of 2068	1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe	cmd.exe
PID 1644 wrote to memory of 2068	1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe	cmd.exe
PID 1644 wrote to memory of 1764	1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe	wermgr.exe
PID 1644 wrote to memory of 1764	1644	fba1a412ee72b3eb54c0cbf7e7bf675a.exe	wermgr.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe
PID 1764 wrote to memory of 4068	1764	wermgr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe
"C:\Users\Admin\AppData\Local\Temp\fba1a412ee72b3eb54c0cbf7e7bf675a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Windows\system32\cmd.exe
/c ipconfig /all
4⤵
PID:1500

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:744

C:\Windows\system32\cmd.exe
/c net config workstation
4⤵
PID:4040

C:\Windows\system32\net.exe
net config workstation
5⤵
PID:1516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
6⤵
PID:8

C:\Windows\system32\cmd.exe
/c net view /all
4⤵
PID:3336

C:\Windows\system32\net.exe
net view /all
5⤵
- Discovers systems in the same network
PID:3728

C:\Windows\system32\cmd.exe
/c net view /all /domain
4⤵
PID:1332

C:\Windows\system32\net.exe
net view /all /domain
5⤵
- Discovers systems in the same network
PID:3164

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
4⤵
PID:3148

C:\Windows\system32\nltest.exe
nltest /domain_trusts
5⤵
PID:3092

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
4⤵
PID:3160

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
5⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-147-0x0000000000000000-mapping.dmp

Download
memory/636-140-0x0000000180000000-0x000000018000A000-memory.dmp

Filesize
40KB

Download
memory/636-139-0x0000000000000000-mapping.dmp

Download
memory/744-144-0x0000000000000000-mapping.dmp

Download
memory/1268-133-0x0000000000000000-mapping.dmp

Download
memory/1332-150-0x0000000000000000-mapping.dmp

Download
memory/1500-143-0x0000000000000000-mapping.dmp

Download
memory/1516-146-0x0000000000000000-mapping.dmp

Download
memory/1644-120-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1644-114-0x0000000002BF0000-0x0000000002C2F000-memory.dmp

Filesize
252KB

Download
memory/1644-119-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/1644-118-0x0000000002C30000-0x0000000002C6B000-memory.dmp

Filesize
236KB

Download
memory/1644-117-0x0000000002BB0000-0x0000000002BED000-memory.dmp

Filesize
244KB

Download
memory/1764-122-0x000001BF2E1E0000-0x000001BF2E209000-memory.dmp

Filesize
164KB

Download
memory/1764-123-0x000001BF2E400000-0x000001BF2E401000-memory.dmp

Filesize
4KB

Download
memory/1764-121-0x0000000000000000-mapping.dmp

Download
memory/1800-155-0x0000000000000000-mapping.dmp

Download
memory/3092-153-0x0000000000000000-mapping.dmp

Download
memory/3148-152-0x0000000000000000-mapping.dmp

Download
memory/3160-154-0x0000000000000000-mapping.dmp

Download
memory/3164-151-0x0000000000000000-mapping.dmp

Download
memory/3336-148-0x0000000000000000-mapping.dmp

Download
memory/3728-149-0x0000000000000000-mapping.dmp

Download
memory/4040-145-0x0000000000000000-mapping.dmp

Download
memory/4068-127-0x000001511A9B0000-0x000001511A9B1000-memory.dmp

Filesize
4KB

Download
memory/4068-126-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing