trickbot | fc15217702b332433079ccd1b797ff2e51c5305241886b03ed7ed55265a1b8eb

General

Target

FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe
Size

348KB
MD5

92c5cb082171843f72b15695a79080f7
SHA1

8fa46a9f210aaaa3a93e3e93183ff34a59b9055f
SHA256

fc37f21ce836b982ca136e18953af2b9219f526833b255a87a3fd5f6c2aff167
SHA512

5422b35c174404f9c3fd1037af702b5f4afa1016873ab33e141931cda96e78ef3818ece87f5b76aa8d59416fd98eff7ecf28504e5a420b5898d5a9c3babcc897
SSDEEP

6144:rkWQuLNawPczZLIjerLQ/pc9FpTg/yVcCmkj:JJL9kFLIer8/p+zMGfNj

Score

10^/10

trickbot jim222 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000192

Botnet

jim222

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:449

109.95.114.28:449

118.91.178.106:449

173.220.6.194:449

179.107.89.145:449

46.20.207.204:449

91.206.4.216:449

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:449

68.227.31.46:449

107.144.49.162:449

46.72.175.17:449

144.48.51.8:449

46.243.179.212:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

pid process

4900 GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

pid	process
4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe = "C:\\Users\\Admin\\AppData\\Roaming\\wsxmail\\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe"	svchost.exe

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipecho.net
11 api.ipify.org
12 icanhazip.com
13 myexternalip.com
14 wtfismyip.com
15 ip.anysrc.net
16 checkip.amazonaws.com

flow	ioc
17	ipecho.net
11	api.ipify.org
12	icanhazip.com
13	myexternalip.com
14	wtfismyip.com
15	ip.anysrc.net
16	checkip.amazonaws.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exeGD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

description	pid	process	target process
PID 2840 wrote to memory of 4900	2840	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 2840 wrote to memory of 4900	2840	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 2840 wrote to memory of 4900	2840	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 4900 wrote to memory of 3024	4900	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe
"C:\Users\Admin\AppData\Local\Temp\FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

Filesize
348KB

MD5
92c5cb082171843f72b15695a79080f7

SHA1
8fa46a9f210aaaa3a93e3e93183ff34a59b9055f

SHA256
fc37f21ce836b982ca136e18953af2b9219f526833b255a87a3fd5f6c2aff167

SHA512
5422b35c174404f9c3fd1037af702b5f4afa1016873ab33e141931cda96e78ef3818ece87f5b76aa8d59416fd98eff7ecf28504e5a420b5898d5a9c3babcc897

Download Submit
memory/2840-1-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2840-0-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/2840-6-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3024-13-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3024-14-0x0000026660440000-0x0000026660441000-memory.dmp

Filesize
4KB

Download
memory/3024-15-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4900-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4900-9-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4900-21-0x0000000003380000-0x000000000343E000-memory.dmp

Filesize
760KB

Download
memory/4900-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4900-22-0x0000000003480000-0x0000000003749000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads