trickbot | bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948

General

Target

90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs
Size

974KB
MD5

9519df9ae170e1beef2c4f132d2de878
SHA1

6a4d0474f140bd912af3e53c1a3b977b7875f264
SHA256

90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069
SHA512

3f4010864e9ca3c591f34e865f293d9089ac616c369eb7a5378ce6970d03e7a4577a5e1377977e9bcc1459cfde347c7e3723e8e079404c7a328bd0f8b74a4d1b
SSDEEP

24576:PUFUHaQAww6F0Rim/UXuunSPVFBES2BFBmkrD27hYDNfk5fW12+C/5IicxMi:d

Score

10^/10

trickbot banker defense_evasion discovery packer trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral1/memory/2296-7-0x0000000000870000-0x00000000008A9000-memory.dmp	templ_dll
behavioral1/memory/2296-11-0x00000000008B0000-0x00000000008E7000-memory.dmp	templ_dll
behavioral1/memory/2296-14-0x0000000002090000-0x00000000020C5000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

pid	Process
2296	rundll32.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2716	cmd.exe
2904	certutil.exe
2900	certutil.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	wermgr.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2716	2408	WScript.exe	31
PID 2408 wrote to memory of 2716	2408	WScript.exe	31
PID 2408 wrote to memory of 2716	2408	WScript.exe	31
PID 2716 wrote to memory of 2904	2716	cmd.exe	33
PID 2716 wrote to memory of 2904	2716	cmd.exe	33
PID 2716 wrote to memory of 2904	2716	cmd.exe	33
PID 2716 wrote to memory of 2900	2716	cmd.exe	34
PID 2716 wrote to memory of 2900	2716	cmd.exe	34
PID 2716 wrote to memory of 2900	2716	cmd.exe	34
PID 2716 wrote to memory of 3032	2716	cmd.exe	35
PID 2716 wrote to memory of 3032	2716	cmd.exe	35
PID 2716 wrote to memory of 3032	2716	cmd.exe	35
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 3032 wrote to memory of 2296	3032	rundll32.exe	36
PID 2296 wrote to memory of 3020	2296	rundll32.exe	37
PID 2296 wrote to memory of 3020	2296	rundll32.exe	37
PID 2296 wrote to memory of 3020	2296	rundll32.exe	37
PID 2296 wrote to memory of 3020	2296	rundll32.exe	37
PID 2296 wrote to memory of 3020	2296	rundll32.exe	37
PID 2296 wrote to memory of 3020	2296	rundll32.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\cmd.exe
  cmd /c certutil -decodehex c:\qarantine\oasdlfpa.txt c:\qarantine\1.xls&certutil -decode c:\qarantine\1.xls c:\qarantine\2.txt&rundll32 c:\qarantine\2.txt,DllRegisterServer&exit
  2⤵
  - Deobfuscate/Decode Files or Information
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\certutil.exe
    certutil -decodehex c:\qarantine\oasdlfpa.txt c:\qarantine\1.xls
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2904
- - C:\Windows\system32\certutil.exe
    certutil -decode c:\qarantine\1.xls c:\qarantine\2.txt
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:2900
- - C:\Windows\system32\rundll32.exe
    rundll32 c:\qarantine\2.txt,DllRegisterServer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 c:\qarantine\2.txt,DllRegisterServer
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\system32\wermgr.exe
        
        C:\Windows\system32\wermgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\qarantine\1.xls

Filesize
467KB

MD5
54731e1ad658d9dbadd5abfb6c99c80a

SHA1
8f0f90ad3e3ea84f787af302dc7100f29dfbf946

SHA256
238fdc0536fe91e4acc2507a9fb588b0f310980cffb385728250221843c67657

SHA512
cf1918ffa11cfac38642fdbbb9f89896ede1fd4e277ab24c441d345fcef0b298c72715c3061451920ca55f865f82fb72a4589bcdd8eecbeb6b82d85a7c172da1

Download Submit
\??\c:\qarantine\2.txt

Filesize
340KB

MD5
0da9b790450c4331df8accbb89c6f651

SHA1
bdbe4484f568f3b518513191d577edcc0150b7b5

SHA256
4013945c4997c0c02b6d094186dde0ae4fa499bc33afae5bbbc0207f2754fe39

SHA512
3eddb0efa3081b2c1dd17e599d29f70dd15bbecaacd831dba65314ddb9d4b091e230c1c43a9d27bd59189b9ae3f0104d693691640e0924a2ea2d90421ef96ca7

Download Submit
\??\c:\qarantine\oasdlfpa.txt

Filesize
935KB

MD5
ac74ba7249daf3d2b9e1af23c458574b

SHA1
ae8670b812bc53a6b93720f0e23f202016287054

SHA256
bbda4baab0dfb99027d1a2d3ae32a376f831d9ab19d4e106aaca98a86a407378

SHA512
a45c80c534e932db7e89d8159852ca3e9f309fc17e9f974f185725736b5cbc014e66b9e5641fdd629cbed74d0f316a5d2e6979ea65a7af5db342d0a6b562ab64

Download Submit
memory/2296-7-0x0000000000870000-0x00000000008A9000-memory.dmp

Filesize
228KB

Download
memory/2296-11-0x00000000008B0000-0x00000000008E7000-memory.dmp

Filesize
220KB

Download
memory/2296-14-0x0000000002090000-0x00000000020C5000-memory.dmp

Filesize
212KB

Download
memory/3020-17-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing