trickbot | f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f

Analysis

max time kernel
144s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b535835648e9b123abe3bc278419349.exe
Size

1.2MB
MD5

8b535835648e9b123abe3bc278419349
SHA1

0650bacf01e9f3e41be961f2ee9b4eb661e064a0
SHA256

f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f
SHA512

023892b6b4fff0f6ce23a42132e37dc624d445417d31d307fba3e8f92f4f047fbfb2c77d59260a16136bed2e5d19ee87e5142a1c98515c1bd622272f7225e54f
SSDEEP

24576:aQCxw3cNf8dX1B5GhIviV81pTXSg/vVDlIBPWjlryy7zcivN:aQi5f8dlLGC6G/TXJli4jlh7zzl

Score

10^/10

trickbot mor1 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

mor1

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 3 IoCs

Processes:

Tu.comTu.comTu.com

pid process

2796 Tu.com
2688 Tu.com
2464 Tu.com
Loads dropped DLL 3 IoCs

Processes:

cmd.exeTu.comTu.com

pid process

2316 cmd.exe
2796 Tu.com
2688 Tu.com

pid	process
2796	Tu.com
2688	Tu.com
2464	Tu.com

pid	process
2316	cmd.exe
2796	Tu.com
2688	Tu.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8b535835648e9b123abe3bc278419349.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b535835648e9b123abe3bc278419349.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tu.com

description pid process target process

PID 2688 set thread context of 2464 2688 Tu.com Tu.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3048 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1096 wermgr.exe

description	pid	process	target process
PID 2688 set thread context of 2464	2688	Tu.com	Tu.com

pid	process
3048	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1096	wermgr.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

8b535835648e9b123abe3bc278419349.execmd.execmd.exeTu.comTu.comTu.com

description	pid	process	target process
PID 2436 wrote to memory of 2360	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2360	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2360	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2360	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2864	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2864	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2864	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2436 wrote to memory of 2864	2436	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2864 wrote to memory of 2160	2864	cmd.exe	certutil.exe
PID 2864 wrote to memory of 2160	2864	cmd.exe	certutil.exe
PID 2864 wrote to memory of 2160	2864	cmd.exe	certutil.exe
PID 2864 wrote to memory of 2160	2864	cmd.exe	certutil.exe
PID 2864 wrote to memory of 2316	2864	cmd.exe	cmd.exe
PID 2864 wrote to memory of 2316	2864	cmd.exe	cmd.exe
PID 2864 wrote to memory of 2316	2864	cmd.exe	cmd.exe
PID 2864 wrote to memory of 2316	2864	cmd.exe	cmd.exe
PID 2316 wrote to memory of 2424	2316	cmd.exe	findstr.exe
PID 2316 wrote to memory of 2424	2316	cmd.exe	findstr.exe
PID 2316 wrote to memory of 2424	2316	cmd.exe	findstr.exe
PID 2316 wrote to memory of 2424	2316	cmd.exe	findstr.exe
PID 2316 wrote to memory of 2712	2316	cmd.exe	certutil.exe
PID 2316 wrote to memory of 2712	2316	cmd.exe	certutil.exe
PID 2316 wrote to memory of 2712	2316	cmd.exe	certutil.exe
PID 2316 wrote to memory of 2712	2316	cmd.exe	certutil.exe
PID 2316 wrote to memory of 2796	2316	cmd.exe	Tu.com
PID 2316 wrote to memory of 2796	2316	cmd.exe	Tu.com
PID 2316 wrote to memory of 2796	2316	cmd.exe	Tu.com
PID 2316 wrote to memory of 2796	2316	cmd.exe	Tu.com
PID 2316 wrote to memory of 3048	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 3048	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 3048	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 3048	2316	cmd.exe	PING.EXE
PID 2796 wrote to memory of 2688	2796	Tu.com	Tu.com
PID 2796 wrote to memory of 2688	2796	Tu.com	Tu.com
PID 2796 wrote to memory of 2688	2796	Tu.com	Tu.com
PID 2796 wrote to memory of 2688	2796	Tu.com	Tu.com
PID 2688 wrote to memory of 2464	2688	Tu.com	Tu.com
PID 2688 wrote to memory of 2464	2688	Tu.com	Tu.com
PID 2688 wrote to memory of 2464	2688	Tu.com	Tu.com
PID 2688 wrote to memory of 2464	2688	Tu.com	Tu.com
PID 2688 wrote to memory of 2464	2688	Tu.com	Tu.com
PID 2688 wrote to memory of 2464	2688	Tu.com	Tu.com
PID 2464 wrote to memory of 696	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 696	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 696	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 696	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 1096	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 1096	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 1096	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 1096	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 1096	2464	Tu.com	wermgr.exe
PID 2464 wrote to memory of 1096	2464	Tu.com	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe
"C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c izXS
2⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Popolato.swf Illusione.xps & cmd < Illusione.xps
2⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^UOpoEgaVehXLEkHGsAIAKQwrPZk$" Dai.vstm
4⤵
PID:2424

C:\Windows\SysWOW64\certutil.exe
certutil -decode Turba.csv W
4⤵
PID:2712

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:3048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Tu.com W
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\certutil.exe
certutil -decode Popolato.swf Illusione.xps
1⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com W
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
PID:696

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab69AD.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dai.vstm
Filesize
382KB

MD5
9c14afca6989fcacd48c974694845515

SHA1
e606b3f5f480b436ca8a7e7df262c0b2d9eab718

SHA256
7b08371d1c8010746759bd021dbc9c59dfb590257cb2e7237ee963f0d074ea0e

SHA512
315d3a935a2fa14b0f3b13e902920df87a431d41e36e9587c66fd9d04e4d235cc46ad2ade85ed49026f2ca9fd93240813e5dc96e88df8a9352e6cfcd6586f400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.xps
Filesize
27KB

MD5
2b7d94cc6c10c0bdf0a6680991672fa7

SHA1
0929b3d2134cc6abe27b32fa08eb3a80c7200cb3

SHA256
d09840fa762fcaf5c48eec88bc04bcfa974613402cd43493e7d516438a0cc5bd

SHA512
931dca24d63521a427c0f30fcf97c32a72244b09ac8d4ca5a949ff1e85280f685381ab273fdc2d6413869044a2590930b7b166752a352513a7da7f9ff02448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Popolato.swf
Filesize
38KB

MD5
617289b98bf0f2b52f3b16654dc2c568

SHA1
0b59918c027484c0ad4263ccccde302eb6d656fd

SHA256
842b71b2a95c233fed224119e4dc66eed3f03c2ea35e90e8a90617529c04806e

SHA512
7dec44be174fbd5114d557f62600dc1522bc1ee6e036fc163b6bed9ef665ea83b6bff6725617eedb344966a6b390dfff3958e63866016cc14fbfdf0374368f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Filesize
32KB

MD5
d9634d01c57a0c184c762b953be2de11

SHA1
a09772e18c4778b913f75cb5e7a0d9dbcde85a05

SHA256
8dc1c83d46b9c2be3b55f8ddf21a70d793d798554a492a15eb01821d3502194c

SHA512
790ed07bcde4b0d557ba6043bcf870d27dbdcdf9063500111bc4e64020ecc44d59df843bcf4a543d50fbc5fd8d015d5f28fe871de6908361de2ca70e3d3cdcd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turba.csv
Filesize
92KB

MD5
94d696ca80cee6b2945b5441f1ec00fc

SHA1
256093ade5b6ce60974e757ac897377b40498c0c

SHA256
9a1bc11800a11786a97e775bdac453df3d0e802d516175bd0fb4d1db017d5b15

SHA512
b156ba19e2eca13d26479946803874a705fbf37d6c0219a4ffd29272d4dcd1bd8d04580d35eb98fa0988f05aacd7a544738c562929b714b4f2ed8d51750f2210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Filesize
92KB

MD5
6dbdf3e005c3e948193144aef1910b44

SHA1
48e507c5892fc79bad6f3b9bd1e21c5942ad2b87

SHA256
74e9ba7a2d3f8dc93988d2121d9d81d72abe8e29533210858bc49a04258e29a2

SHA512
1c414444f1fb2704b0a4cc97e1a73356206179ceee816166513d2e26b72910aeae2e5832133740ee611cd43a8536da2726fa0fc4f69638f4cbaae03ef88f1140

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/1096-178-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1096-179-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1096-180-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/2464-177-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2464-176-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2464-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-25-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download