trickbot | 25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

General

Target

clb.dll
Size

588KB
MD5

4f142d0fca158d333b98bd20ec2c70c8
SHA1

716cab4911102cd47ebc577d5712ade3f55e1729
SHA256

25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1
SHA512

50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

Score

10^/10

trickbot rob136 banker collection suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 checkip.amazonaws.com
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

4256 net.exe
4996 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2864 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

408 svchost.exe
408 svchost.exe
1184 svchost.exe
1184 svchost.exe
1568 svchost.exe
1568 svchost.exe
1184 svchost.exe
1184 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3024 wermgr.exe
Token: SeDebugPrivilege 408 svchost.exe
Token: SeDebugPrivilege 1184 svchost.exe

flow	ioc
28	checkip.amazonaws.com

pid	process
4256	net.exe
4996	net.exe

pid	process
2864	ipconfig.exe

pid	process
408	svchost.exe
408	svchost.exe
1184	svchost.exe
1184	svchost.exe
1568	svchost.exe
1568	svchost.exe
1184	svchost.exe
1184	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3024	wermgr.exe
Token: SeDebugPrivilege	408	svchost.exe
Token: SeDebugPrivilege	1184	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 2324 wrote to memory of 4380	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 4380	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 4380	2324	rundll32.exe	rundll32.exe
PID 4380 wrote to memory of 3260	4380	rundll32.exe	cmd.exe
PID 4380 wrote to memory of 3260	4380	rundll32.exe	cmd.exe
PID 4380 wrote to memory of 3260	4380	rundll32.exe	cmd.exe
PID 4380 wrote to memory of 3024	4380	rundll32.exe	wermgr.exe
PID 4380 wrote to memory of 3024	4380	rundll32.exe	wermgr.exe
PID 4380 wrote to memory of 3024	4380	rundll32.exe	wermgr.exe
PID 4380 wrote to memory of 3024	4380	rundll32.exe	wermgr.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe
PID 3024 wrote to memory of 408	3024	wermgr.exe	svchost.exe

outlook_office_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:3260

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\system32\cmd.exe
/c ipconfig /all
5⤵
PID:2624

C:\Windows\system32\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:2864

C:\Windows\system32\cmd.exe
/c net config workstation
5⤵
PID:4304

C:\Windows\system32\net.exe
net config workstation
6⤵
PID:4088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
7⤵
PID:4032

C:\Windows\system32\cmd.exe
/c net view /all
5⤵
PID:2784

C:\Windows\system32\net.exe
net view /all
6⤵
- Discovers systems in the same network
PID:4256

C:\Windows\system32\cmd.exe
/c net view /all /domain
5⤵
PID:4236

C:\Windows\system32\net.exe
net view /all /domain
6⤵
- Discovers systems in the same network
PID:4996

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
5⤵
PID:1364

C:\Windows\system32\nltest.exe
nltest /domain_trusts
6⤵
PID:4928

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
5⤵
PID:4132

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
6⤵
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/408-132-0x0000000000000000-mapping.dmp

Download
memory/408-162-0x000001F740E70000-0x000001F740E72000-memory.dmp

Filesize
8KB

Download
memory/408-138-0x000001F740D20000-0x000001F740D21000-memory.dmp

Filesize
4KB

Download
memory/408-137-0x000001F740E70000-0x000001F740E72000-memory.dmp

Filesize
8KB

Download
memory/408-136-0x000001F740E70000-0x000001F740E72000-memory.dmp

Filesize
8KB

Download
memory/408-135-0x00000001800BE000-0x00000001800C5000-memory.dmp

Filesize
28KB

Download
memory/408-134-0x000000018009D000-0x00000001800B9000-memory.dmp

Filesize
112KB

Download
memory/408-133-0x0000000180001000-0x000000018009D000-memory.dmp

Filesize
624KB

Download
memory/1184-144-0x0000029BBBBC0000-0x0000029BBBBC2000-memory.dmp

Filesize
8KB

Download
memory/1184-139-0x0000000000000000-mapping.dmp

Download
memory/1184-142-0x0000000180081000-0x0000000180085000-memory.dmp

Filesize
16KB

Download
memory/1184-143-0x0000029BBBBC0000-0x0000029BBBBC2000-memory.dmp

Filesize
8KB

Download
memory/1184-141-0x0000000180061000-0x000000018007E000-memory.dmp

Filesize
116KB

Download
memory/1184-140-0x0000000180001000-0x0000000180061000-memory.dmp

Filesize
384KB

Download
memory/1364-158-0x0000000000000000-mapping.dmp

Download
memory/1568-147-0x0000000180006000-0x0000000180008000-memory.dmp

Filesize
8KB

Download
memory/1568-146-0x0000000180001000-0x0000000180006000-memory.dmp

Filesize
20KB

Download
memory/1568-148-0x0000000180009000-0x000000018000A000-memory.dmp

Filesize
4KB

Download
memory/1568-145-0x0000000000000000-mapping.dmp

Download
memory/2216-161-0x0000000000000000-mapping.dmp

Download
memory/2624-149-0x0000000000000000-mapping.dmp

Download
memory/2784-154-0x0000000000000000-mapping.dmp

Download
memory/2864-150-0x0000000000000000-mapping.dmp

Download
memory/3024-131-0x0000026634D20000-0x0000026634D22000-memory.dmp

Filesize
8KB

Download
memory/3024-128-0x0000026634AE0000-0x0000026634B09000-memory.dmp

Filesize
164KB

Download
memory/3024-129-0x0000026634B20000-0x0000026634B21000-memory.dmp

Filesize
4KB

Download
memory/3024-127-0x0000000000000000-mapping.dmp

Download
memory/3024-130-0x0000026634D20000-0x0000026634D22000-memory.dmp

Filesize
8KB

Download
memory/4032-153-0x0000000000000000-mapping.dmp

Download
memory/4088-152-0x0000000000000000-mapping.dmp

Download
memory/4132-160-0x0000000000000000-mapping.dmp

Download
memory/4236-156-0x0000000000000000-mapping.dmp

Download
memory/4256-155-0x0000000000000000-mapping.dmp

Download
memory/4304-151-0x0000000000000000-mapping.dmp

Download
memory/4380-126-0x0000000005071000-0x0000000005073000-memory.dmp

Filesize
8KB

Download
memory/4380-115-0x0000000000000000-mapping.dmp

Download
memory/4380-122-0x0000000005015000-0x0000000005016000-memory.dmp

Filesize
4KB

Download
memory/4380-121-0x0000000004FE1000-0x0000000005015000-memory.dmp

Filesize
208KB

Download
memory/4380-123-0x0000000004F00000-0x0000000004F39000-memory.dmp

Filesize
228KB

Download
memory/4380-124-0x0000000005020000-0x0000000005065000-memory.dmp

Filesize
276KB

Download
memory/4380-120-0x0000000004FA3000-0x0000000004FA4000-memory.dmp

Filesize
4KB

Download
memory/4380-125-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4380-119-0x0000000004FA1000-0x0000000004FA3000-memory.dmp

Filesize
8KB

Download
memory/4380-116-0x0000000004F60000-0x0000000004F9B000-memory.dmp

Filesize
236KB

Download
memory/4928-159-0x0000000000000000-mapping.dmp

Download
memory/4996-157-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads