trickbot | bc387de543591660fa5cfb3f69e0c7d704b8be15b6ab631d2108477f1ea46424

General

Target

zmoperes.ri.exe
Size

313KB
MD5

104b457b6d90fc80ff2dbbcebbb7ca8b
SHA1

7842611837af04d7c986de21ab2454ed397014de
SHA256

1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f
SHA512

504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0
SSDEEP

6144:cqzfvclHbmBwuKj6BkT4GvEH5sLLJ6vd4p:cqzHWHbmQGBkT46689I

Score

10^/10

trickbot sat17 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000229

Botnet

sat17

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

162.247.37.252:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3996-132-0x0000000010000000-0x0000000010040000-memory.dmp	trickbot_loader32
behavioral2/memory/3552-139-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/1668-158-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

zmopeset.ri.exezmopeset.ri.exe

pid process

2780 zmopeset.ri.exe
1668 zmopeset.ri.exe

pid	process
2780	zmopeset.ri.exe
1668	zmopeset.ri.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msnet\\zmopeset.ri.exe"	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 myexternalip.com
50 myexternalip.com

flow	ioc
48	myexternalip.com
50	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

zmoperes.ri.exezmopeset.ri.exe

description	pid	process	target process
PID 3996 set thread context of 3552	3996	zmoperes.ri.exe	zmoperes.ri.exe
PID 2780 set thread context of 1668	2780	zmopeset.ri.exe	zmopeset.ri.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

zmoperes.ri.exezmopeset.ri.exe

pid process

3996 zmoperes.ri.exe
2780 zmopeset.ri.exe

pid	process
3996	zmoperes.ri.exe
2780	zmopeset.ri.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

zmoperes.ri.exezmoperes.ri.exezmopeset.ri.exezmopeset.ri.exe

description	pid	process	target process
PID 3996 wrote to memory of 3552	3996	zmoperes.ri.exe	zmoperes.ri.exe
PID 3996 wrote to memory of 3552	3996	zmoperes.ri.exe	zmoperes.ri.exe
PID 3996 wrote to memory of 3552	3996	zmoperes.ri.exe	zmoperes.ri.exe
PID 3996 wrote to memory of 3552	3996	zmoperes.ri.exe	zmoperes.ri.exe
PID 3552 wrote to memory of 2780	3552	zmoperes.ri.exe	zmopeset.ri.exe
PID 3552 wrote to memory of 2780	3552	zmoperes.ri.exe	zmopeset.ri.exe
PID 3552 wrote to memory of 2780	3552	zmoperes.ri.exe	zmopeset.ri.exe
PID 2780 wrote to memory of 1668	2780	zmopeset.ri.exe	zmopeset.ri.exe
PID 2780 wrote to memory of 1668	2780	zmopeset.ri.exe	zmopeset.ri.exe
PID 2780 wrote to memory of 1668	2780	zmopeset.ri.exe	zmopeset.ri.exe
PID 2780 wrote to memory of 1668	2780	zmopeset.ri.exe	zmopeset.ri.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe
PID 1668 wrote to memory of 4632	1668	zmopeset.ri.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe
"C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe
"C:\Users\Admin\AppData\Local\Temp\zmoperes.ri.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Adds Run key to start application
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\0f5007522459c86e95ffcc62f32308f1_9be0bf4d-f8db-4af4-be85-dc38433c9501
Filesize
1KB

MD5
a97dd1f94a53bfeb9eb63e5b235a63a1

SHA1
a107fa5351e8e67fa515fc6d606c8686e70541bd

SHA256
d84373c8d5d6bd275d9bdeabb5051dee498bc181ebdd8dabd2a1c005fd47c762

SHA512
c5f652355d56c4d9f152fdf3323398776bb434a712dea980c71edc0b349caeda9340b81fd66746bf5a792fe840860b98bfdf92549dcd12822d4ae768628246b9

Download Submit
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
Filesize
313KB

MD5
104b457b6d90fc80ff2dbbcebbb7ca8b

SHA1
7842611837af04d7c986de21ab2454ed397014de

SHA256
1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f

SHA512
504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0

Download Submit
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
Filesize
313KB

MD5
104b457b6d90fc80ff2dbbcebbb7ca8b

SHA1
7842611837af04d7c986de21ab2454ed397014de

SHA256
1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f

SHA512
504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0

Download Submit
C:\Users\Admin\AppData\Roaming\msnet\zmopeset.ri.exe
Filesize
313KB

MD5
104b457b6d90fc80ff2dbbcebbb7ca8b

SHA1
7842611837af04d7c986de21ab2454ed397014de

SHA256
1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f

SHA512
504b6d45d0dbafadbefbc30d137ecf399a79bbfefe11418e5defec4f9b6ee66d170ecc12c5e9bd76511403d357d071e71d56f57e2587e558c3a91b3a0ef21df0

Download Submit
memory/1668-144-0x0000000000000000-mapping.dmp

Download
memory/1668-147-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1668-158-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2780-136-0x0000000000000000-mapping.dmp

Download
memory/3552-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3552-135-0x0000000000000000-mapping.dmp

Download
memory/3996-132-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/4632-150-0x0000000000000000-mapping.dmp

Download
memory/4632-152-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads