trickbot | 7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

General

Target

4f057f105fee3c97f36698e9b72533af65a89b10.exe
Size

458KB
MD5

6362b2bbc4b838806302aa0b42db4478
SHA1

4f057f105fee3c97f36698e9b72533af65a89b10
SHA256

7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33
SHA512

6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Score

10^/10

trickbot mor87 banker dave trojan upx

Malware Config

Extracted

Family

trickbot

Version

1000497

Botnet

mor87

C2

5.182.210.226:443

5.182.210.246:443

82.146.62.52:443

198.8.91.10:443

195.123.221.53:443

51.89.115.116:443

164.68.120.56:443

85.204.116.237:443

5.2.75.167:443

93.189.42.146:443

185.252.144.174:443

81.177.165.145:443

217.107.34.151:443

146.185.219.165:443

194.87.238.87:443

146.185.253.18:443

194.5.250.155:443

195.123.216.223:443

185.99.2.160:443

5.182.210.230:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
task1/memory/1688-0-0x0000000001E50000-0x0000000001E84000-memory.dmp	trickbot_loader32
task1/memory/1856-4-0x0000000000310000-0x0000000000344000-memory.dmp	trickbot_loader32
task1/memory/1856-6-0x0000000000520000-0x0000000000551000-memory.dmp	trickbot_loader32
task1/memory/1928-9-0x0000000000B70000-0x0000000000BA4000-memory.dmp	trickbot_loader32

Dave packer 3 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
task1/memory/1688-0-0x0000000001E50000-0x0000000001E84000-memory.dmp	dave
task1/memory/1856-4-0x0000000000310000-0x0000000000344000-memory.dmp	dave
task1/memory/1928-9-0x0000000000B70000-0x0000000000BA4000-memory.dmp	dave

Executes dropped EXE 2 IoCs

Processes:

ԳсԳայլըвАФыВЧе.exeԳсԳայլըвАФыВЧе.exe

pid process

1856 ԳсԳայլըвАФыВЧе.exe
1928 ԳсԳայլըвАФыВЧе.exe

pid	process
1856	ԳсԳայլըвАФыВЧе.exe
1928	ԳсԳայլըвАФыВЧе.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\ԳсԳայլըвАФыВЧе.exe	upx
\ProgramData\ԳсԳայլըвАФыВЧе.exe	upx
C:\ProgramData\ԳсԳայլըвАФыВЧе.exe	upx
C:\ProgramData\ԳсԳայլըвАФыВЧе.exe	upx
C:\Users\Admin\AppData\Roaming\windirect\ԳсԳայլըвАФыВЧе.exe	upx
C:\Users\Admin\AppData\Roaming\windirect\ԳсԳայլըвАФыВЧе.exe	upx

Loads dropped DLL 2 IoCs

Processes:

4f057f105fee3c97f36698e9b72533af65a89b10.exe

pid process

1688 4f057f105fee3c97f36698e9b72533af65a89b10.exe
1688 4f057f105fee3c97f36698e9b72533af65a89b10.exe

pid	process
1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe
1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1456 svchost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4f057f105fee3c97f36698e9b72533af65a89b10.exeԳсԳայլըвАФыВЧе.exeԳсԳայլըвАФыВЧе.exe

pid process

1688 4f057f105fee3c97f36698e9b72533af65a89b10.exe
1856 ԳсԳայլըвАФыВЧе.exe
1928 ԳсԳայլըвАФыВЧе.exe

description	pid	process
Token: SeTcbPrivilege	1456	svchost.exe

pid	process
1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe
1856	ԳсԳայլըвАФыВЧе.exe
1928	ԳсԳայլըвАФыВЧе.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4f057f105fee3c97f36698e9b72533af65a89b10.exeԳсԳայլըвАФыВЧе.exetaskeng.exeԳсԳայլըвАФыВЧе.exe

description	pid	process	target process
PID 1688 wrote to memory of 1856	1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe	ԳсԳայլըвАФыВЧе.exe
PID 1688 wrote to memory of 1856	1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe	ԳсԳայլըвАФыВЧе.exe
PID 1688 wrote to memory of 1856	1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe	ԳсԳայլըвАФыВЧе.exe
PID 1688 wrote to memory of 1856	1688	4f057f105fee3c97f36698e9b72533af65a89b10.exe	ԳсԳայլըвАФыВЧе.exe
PID 1856 wrote to memory of 1944	1856	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1856 wrote to memory of 1944	1856	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1856 wrote to memory of 1944	1856	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1856 wrote to memory of 1944	1856	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1856 wrote to memory of 1944	1856	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1856 wrote to memory of 1944	1856	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 364 wrote to memory of 1928	364	taskeng.exe	ԳсԳայլըвАФыВЧе.exe
PID 364 wrote to memory of 1928	364	taskeng.exe	ԳсԳայլըвАФыВЧе.exe
PID 364 wrote to memory of 1928	364	taskeng.exe	ԳсԳայլըвАФыВЧе.exe
PID 364 wrote to memory of 1928	364	taskeng.exe	ԳсԳայլըвАФыВЧе.exe
PID 1928 wrote to memory of 1456	1928	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1928 wrote to memory of 1456	1928	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1928 wrote to memory of 1456	1928	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1928 wrote to memory of 1456	1928	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1928 wrote to memory of 1456	1928	ԳсԳայլըвАФыВЧе.exe	svchost.exe
PID 1928 wrote to memory of 1456	1928	ԳсԳայլըвАФыВЧе.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\4f057f105fee3c97f36698e9b72533af65a89b10.exe
"C:\Users\Admin\AppData\Local\Temp\4f057f105fee3c97f36698e9b72533af65a89b10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\ProgramData\ԳсԳայլըвАФыВЧе.exe
"C:\ProgramData\ԳсԳայլըвАФыВЧе.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1944

C:\Windows\system32\taskeng.exe
taskeng.exe {B1917106-BE34-4D49-A710-E2B89A2336B6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Roaming\windirect\ԳсԳայլըвАФыВЧе.exe
C:\Users\Admin\AppData\Roaming\windirect\ԳсԳայլըвАФыВЧе.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ԳсԳայլըвАФыВЧе.exe
MD5
6362b2bbc4b838806302aa0b42db4478

SHA1
4f057f105fee3c97f36698e9b72533af65a89b10

SHA256
7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

SHA512
6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Download Submit
C:\ProgramData\ԳсԳայլըвАФыВЧе.exe
MD5
6362b2bbc4b838806302aa0b42db4478

SHA1
4f057f105fee3c97f36698e9b72533af65a89b10

SHA256
7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

SHA512
6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ԳсԳայլըвАФыВЧе.exe
MD5
6362b2bbc4b838806302aa0b42db4478

SHA1
4f057f105fee3c97f36698e9b72533af65a89b10

SHA256
7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

SHA512
6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ԳсԳայլըвАФыВЧе.exe
MD5
6362b2bbc4b838806302aa0b42db4478

SHA1
4f057f105fee3c97f36698e9b72533af65a89b10

SHA256
7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

SHA512
6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Download Submit
\ProgramData\ԳсԳայլըвАФыВЧе.exe
MD5
6362b2bbc4b838806302aa0b42db4478

SHA1
4f057f105fee3c97f36698e9b72533af65a89b10

SHA256
7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

SHA512
6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Download Submit
\ProgramData\ԳсԳայլըвАФыВЧе.exe
MD5
6362b2bbc4b838806302aa0b42db4478

SHA1
4f057f105fee3c97f36698e9b72533af65a89b10

SHA256
7e5b8c43be82bd31fc876db679a89f3684a4b4f1c7f2894a6843efcc6acf3c33

SHA512
6b8d1a13590494ba7183e6f4c1de03a89b5333d0a7afc4ef1c268e1726be0bdfc4d8490673c8dc9ff1da13ffa907075160e4fe8df9da816bc8d1a2063d928152

Download Submit
memory/1688-0-0x0000000001E50000-0x0000000001E84000-memory.dmp

Filesize
208KB

Download
memory/1856-4-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1856-6-0x0000000000520000-0x0000000000551000-memory.dmp

Filesize
196KB

Download
memory/1928-9-0x0000000000B70000-0x0000000000BA4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads