trickbot | f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f

Analysis

max time kernel
131s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b535835648e9b123abe3bc278419349.exe
Size

1.2MB
MD5

8b535835648e9b123abe3bc278419349
SHA1

0650bacf01e9f3e41be961f2ee9b4eb661e064a0
SHA256

f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f
SHA512

023892b6b4fff0f6ce23a42132e37dc624d445417d31d307fba3e8f92f4f047fbfb2c77d59260a16136bed2e5d19ee87e5142a1c98515c1bd622272f7225e54f
SSDEEP

24576:aQCxw3cNf8dX1B5GhIviV81pTXSg/vVDlIBPWjlryy7zcivN:aQi5f8dlLGC6G/TXJli4jlh7zzl

Score

10^/10

trickbot mor1 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

mor1

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 3 IoCs

Processes:

Tu.comTu.comTu.com

pid process

2600 Tu.com
3028 Tu.com
2984 Tu.com
Loads dropped DLL 3 IoCs

Processes:

cmd.exeTu.comTu.com

pid process

2720 cmd.exe
2600 Tu.com
3028 Tu.com

pid	process
2600	Tu.com
3028	Tu.com
2984	Tu.com

pid	process
2720	cmd.exe
2600	Tu.com
3028	Tu.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8b535835648e9b123abe3bc278419349.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b535835648e9b123abe3bc278419349.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tu.com

description pid process target process

PID 3028 set thread context of 2984 3028 Tu.com Tu.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2800 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 452 wermgr.exe

description	pid	process	target process
PID 3028 set thread context of 2984	3028	Tu.com	Tu.com

pid	process
2800	PING.EXE

description	pid	process
Token: SeDebugPrivilege	452	wermgr.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

8b535835648e9b123abe3bc278419349.execmd.execmd.exeTu.comTu.comTu.com

description	pid	process	target process
PID 2376 wrote to memory of 2704	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2704	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2704	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2704	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2780	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2780	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2780	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2376 wrote to memory of 2780	2376	8b535835648e9b123abe3bc278419349.exe	cmd.exe
PID 2780 wrote to memory of 2900	2780	cmd.exe	certutil.exe
PID 2780 wrote to memory of 2900	2780	cmd.exe	certutil.exe
PID 2780 wrote to memory of 2900	2780	cmd.exe	certutil.exe
PID 2780 wrote to memory of 2900	2780	cmd.exe	certutil.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2572	2720	cmd.exe	findstr.exe
PID 2720 wrote to memory of 2572	2720	cmd.exe	findstr.exe
PID 2720 wrote to memory of 2572	2720	cmd.exe	findstr.exe
PID 2720 wrote to memory of 2572	2720	cmd.exe	findstr.exe
PID 2720 wrote to memory of 2680	2720	cmd.exe	certutil.exe
PID 2720 wrote to memory of 2680	2720	cmd.exe	certutil.exe
PID 2720 wrote to memory of 2680	2720	cmd.exe	certutil.exe
PID 2720 wrote to memory of 2680	2720	cmd.exe	certutil.exe
PID 2720 wrote to memory of 2600	2720	cmd.exe	Tu.com
PID 2720 wrote to memory of 2600	2720	cmd.exe	Tu.com
PID 2720 wrote to memory of 2600	2720	cmd.exe	Tu.com
PID 2720 wrote to memory of 2600	2720	cmd.exe	Tu.com
PID 2720 wrote to memory of 2800	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 2800	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 2800	2720	cmd.exe	PING.EXE
PID 2720 wrote to memory of 2800	2720	cmd.exe	PING.EXE
PID 2600 wrote to memory of 3028	2600	Tu.com	Tu.com
PID 2600 wrote to memory of 3028	2600	Tu.com	Tu.com
PID 2600 wrote to memory of 3028	2600	Tu.com	Tu.com
PID 2600 wrote to memory of 3028	2600	Tu.com	Tu.com
PID 3028 wrote to memory of 2984	3028	Tu.com	Tu.com
PID 3028 wrote to memory of 2984	3028	Tu.com	Tu.com
PID 3028 wrote to memory of 2984	3028	Tu.com	Tu.com
PID 3028 wrote to memory of 2984	3028	Tu.com	Tu.com
PID 3028 wrote to memory of 2984	3028	Tu.com	Tu.com
PID 3028 wrote to memory of 2984	3028	Tu.com	Tu.com
PID 2984 wrote to memory of 2176	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 2176	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 2176	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 2176	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 452	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 452	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 452	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 452	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 452	2984	Tu.com	wermgr.exe
PID 2984 wrote to memory of 452	2984	Tu.com	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe
"C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c izXS
2⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Popolato.swf Illusione.xps & cmd < Illusione.xps
2⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^UOpoEgaVehXLEkHGsAIAKQwrPZk$" Dai.vstm
4⤵
PID:2572

C:\Windows\SysWOW64\certutil.exe
certutil -decode Turba.csv W
4⤵
PID:2680

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Tu.com W
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com W
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
7⤵
PID:2176

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\SysWOW64\certutil.exe
certutil -decode Popolato.swf Illusione.xps
3⤵
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab7226.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dai.vstm
Filesize
921KB

MD5
35fde30343a8651ad541e796d764a052

SHA1
66b2c2b29f3f666ed4b290e7e48650cb4b20e303

SHA256
0ece2aec545f79a310010bf1b36dad830944f8f089afee9141cd260f95c36b59

SHA512
3aa2f31d1525867ccedb7161a9647c9d275fc61f58cd31599e05ae2dda0643f3b5b7234c61f260d583a74b17eaecbceb2e3e4b6a6a386b164c9bbf1d2b9a38b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.xps
Filesize
27KB

MD5
2b7d94cc6c10c0bdf0a6680991672fa7

SHA1
0929b3d2134cc6abe27b32fa08eb3a80c7200cb3

SHA256
d09840fa762fcaf5c48eec88bc04bcfa974613402cd43493e7d516438a0cc5bd

SHA512
931dca24d63521a427c0f30fcf97c32a72244b09ac8d4ca5a949ff1e85280f685381ab273fdc2d6413869044a2590930b7b166752a352513a7da7f9ff02448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Infinita.flv
Filesize
235KB

MD5
c4e07c0bfe2859c8ff06a483545792e6

SHA1
1456bbcd34f0e912106a80bdffc61c5a4f6dc50f

SHA256
8cee33a6f40743340b93c2f175f4beed55f878f1e9fb00b7478ee0b1e73528df

SHA512
15d30aecdb96fd4510fec7b7d93d967bef7ad7ea1ee3094b7d80e6ce7476a1591afb32d7fb6328bee3aa8db4d36c3f118a96f1716697647cc7d6bad31a02067b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Popolato.swf
Filesize
38KB

MD5
617289b98bf0f2b52f3b16654dc2c568

SHA1
0b59918c027484c0ad4263ccccde302eb6d656fd

SHA256
842b71b2a95c233fed224119e4dc66eed3f03c2ea35e90e8a90617529c04806e

SHA512
7dec44be174fbd5114d557f62600dc1522bc1ee6e036fc163b6bed9ef665ea83b6bff6725617eedb344966a6b390dfff3958e63866016cc14fbfdf0374368f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turba.csv
Filesize
910KB

MD5
5d61882d714cd3e72f6b2ca2d88a456f

SHA1
85315e2ad09edb0051062c929c7d966589ac8340

SHA256
fa783d9734141a1a55d08299f3a92e5b75645b2ad979ec005df47730f53ff50a

SHA512
9c4450a04526990455850f94bc140aafd439657f3acecaefd826cdc579e47bad91e00c64dba7ca5f8726a36195579489283bfdd6f7e9fc0ff9fd40ef88731291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W
Filesize
661KB

MD5
0e10494978a9abfb9c454abf2a8b48b7

SHA1
04c1c65e8f3a5b8b21beee53f87e661ee4d7f4fa

SHA256
0cb9656846770fa2f1c6c279d762e3b5a2dd68c18d972982c2ee075d6d7f62b1

SHA512
742b8a3a01ef8a3299d72e049f2f8556b7e89ec8ca71298293e52f5b9bb21cfc4d06fc083db7dc49f6df930d50121ac7f28c288c2673aef5fc95348f29d21acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC23B.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com
Filesize
840KB

MD5
a6aafdbd55007ba42805826aa1ab8017

SHA1
d13a7421b1df432e908b03a179a7fdcafd4c22e5

SHA256
296a7d922f8b0aed42d3eb8f06cfcfab9acd541becd34dc45f7d51d2664c9d0c

SHA512
4705e2f31147ac050b86525e59a751e630f8b15095031fdf356ed9474f470fa97ea78cbdf537fbf1f3900803263ea6e30c3a1695dff1e750611a89c40584762d

Download Submit
memory/452-166-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/452-167-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/452-185-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/2984-165-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2984-164-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2984-168-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2984-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download