trickbot | 25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

General

Target

clb.dll
Size

588KB
MD5

4f142d0fca158d333b98bd20ec2c70c8
SHA1

716cab4911102cd47ebc577d5712ade3f55e1729
SHA256

25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1
SHA512

50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

Score

10^/10

trickbot rob136 banker collection suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

932 net.exe
1932 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1976 ipconfig.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

2648 svchost.exe
2648 svchost.exe
1920 svchost.exe
1920 svchost.exe
1420 svchost.exe
1420 svchost.exe
1920 svchost.exe
1920 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 928 wermgr.exe
Token: SeDebugPrivilege 2648 svchost.exe
Token: SeDebugPrivilege 1920 svchost.exe

pid	process
932	net.exe
1932	net.exe

pid	process
1976	ipconfig.exe

pid	process
2648	svchost.exe
2648	svchost.exe
1920	svchost.exe
1920	svchost.exe
1420	svchost.exe
1420	svchost.exe
1920	svchost.exe
1920	svchost.exe

description	pid	process
Token: SeDebugPrivilege	928	wermgr.exe
Token: SeDebugPrivilege	2648	svchost.exe
Token: SeDebugPrivilege	1920	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exewermgr.exe

description	pid	process	target process
PID 1380 wrote to memory of 3340	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 3340	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 3340	1380	rundll32.exe	rundll32.exe
PID 3340 wrote to memory of 648	3340	rundll32.exe	cmd.exe
PID 3340 wrote to memory of 648	3340	rundll32.exe	cmd.exe
PID 3340 wrote to memory of 648	3340	rundll32.exe	cmd.exe
PID 3340 wrote to memory of 928	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 928	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 928	3340	rundll32.exe	wermgr.exe
PID 3340 wrote to memory of 928	3340	rundll32.exe	wermgr.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe
PID 928 wrote to memory of 2648	928	wermgr.exe	svchost.exe

outlook_office_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:648

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\cmd.exe
/c ipconfig /all
5⤵
PID:1624

C:\Windows\system32\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:1976

C:\Windows\system32\cmd.exe
/c net config workstation
5⤵
PID:2260

C:\Windows\system32\net.exe
net config workstation
6⤵
PID:2116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
7⤵
PID:4076

C:\Windows\system32\cmd.exe
/c net view /all
5⤵
PID:3512

C:\Windows\system32\net.exe
net view /all
6⤵
- Discovers systems in the same network
PID:932

C:\Windows\system32\cmd.exe
/c net view /all /domain
5⤵
PID:984

C:\Windows\system32\net.exe
net view /all /domain
6⤵
- Discovers systems in the same network
PID:1932

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts
5⤵
PID:2076

C:\Windows\system32\nltest.exe
nltest /domain_trusts
6⤵
PID:3620

C:\Windows\system32\cmd.exe
/c nltest /domain_trusts /all_trusts
5⤵
PID:3636

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
6⤵
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-129-0x000001E39F960000-0x000001E39F961000-memory.dmp

Filesize
4KB

Download
memory/928-131-0x000001E39FAA0000-0x000001E39FAA2000-memory.dmp

Filesize
8KB

Download
memory/928-130-0x000001E39FAA0000-0x000001E39FAA2000-memory.dmp

Filesize
8KB

Download
memory/928-127-0x0000000000000000-mapping.dmp

Download
memory/928-128-0x000001E39F850000-0x000001E39F879000-memory.dmp

Filesize
164KB

Download
memory/932-155-0x0000000000000000-mapping.dmp

Download
memory/984-156-0x0000000000000000-mapping.dmp

Download
memory/1420-148-0x0000000180009000-0x000000018000A000-memory.dmp

Filesize
4KB

Download
memory/1420-147-0x0000000180006000-0x0000000180008000-memory.dmp

Filesize
8KB

Download
memory/1420-146-0x0000000180001000-0x0000000180006000-memory.dmp

Filesize
20KB

Download
memory/1420-145-0x0000000000000000-mapping.dmp

Download
memory/1624-149-0x0000000000000000-mapping.dmp

Download
memory/1920-139-0x0000000000000000-mapping.dmp

Download
memory/1920-140-0x0000000180001000-0x0000000180061000-memory.dmp

Filesize
384KB

Download
memory/1920-144-0x000001A2610C0000-0x000001A2610C2000-memory.dmp

Filesize
8KB

Download
memory/1920-143-0x000001A2610C0000-0x000001A2610C2000-memory.dmp

Filesize
8KB

Download
memory/1920-142-0x0000000180081000-0x0000000180085000-memory.dmp

Filesize
16KB

Download
memory/1920-141-0x0000000180061000-0x000000018007E000-memory.dmp

Filesize
116KB

Download
memory/1932-157-0x0000000000000000-mapping.dmp

Download
memory/1976-150-0x0000000000000000-mapping.dmp

Download
memory/2076-158-0x0000000000000000-mapping.dmp

Download
memory/2116-152-0x0000000000000000-mapping.dmp

Download
memory/2260-151-0x0000000000000000-mapping.dmp

Download
memory/2648-135-0x00000001800BE000-0x00000001800C5000-memory.dmp

Filesize
28KB

Download
memory/2648-138-0x00000167DEDD0000-0x00000167DEDD1000-memory.dmp

Filesize
4KB

Download
memory/2648-137-0x00000167DEF30000-0x00000167DEF32000-memory.dmp

Filesize
8KB

Download
memory/2648-136-0x00000167DEF30000-0x00000167DEF32000-memory.dmp

Filesize
8KB

Download
memory/2648-134-0x000000018009D000-0x00000001800B9000-memory.dmp

Filesize
112KB

Download
memory/2648-133-0x0000000180001000-0x000000018009D000-memory.dmp

Filesize
624KB

Download
memory/2648-132-0x0000000000000000-mapping.dmp

Download
memory/2648-162-0x00000167DEF30000-0x00000167DEF32000-memory.dmp

Filesize
8KB

Download
memory/2668-161-0x0000000000000000-mapping.dmp

Download
memory/3340-124-0x0000000004780000-0x00000000047C5000-memory.dmp

Filesize
276KB

Download
memory/3340-115-0x0000000000000000-mapping.dmp

Download
memory/3340-122-0x0000000004775000-0x0000000004776000-memory.dmp

Filesize
4KB

Download
memory/3340-121-0x0000000004741000-0x0000000004775000-memory.dmp

Filesize
208KB

Download
memory/3340-126-0x0000000002C31000-0x0000000002C33000-memory.dmp

Filesize
8KB

Download
memory/3340-120-0x0000000004703000-0x0000000004704000-memory.dmp

Filesize
4KB

Download
memory/3340-116-0x00000000046C0000-0x00000000046FB000-memory.dmp

Filesize
236KB

Download
memory/3340-125-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/3340-123-0x0000000004500000-0x000000000458E000-memory.dmp

Filesize
568KB

Download
memory/3340-119-0x0000000004701000-0x0000000004703000-memory.dmp

Filesize
8KB

Download
memory/3512-154-0x0000000000000000-mapping.dmp

Download
memory/3620-159-0x0000000000000000-mapping.dmp

Download
memory/3636-160-0x0000000000000000-mapping.dmp

Download
memory/4076-153-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads