trickbot | 92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16

General

Target

92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe
Size

360KB
MD5

ae63426b87d82a8944dae4dc588599a8
SHA1

0fb0a2f879ce84d50fc2ac5defc7f767155da9f9
SHA256

92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16
SHA512

4ae1b745438803385b49f06a872bc8332f09d02a872a280422c30f6d78e7e761ff094eee5141b1fba78640b30111e675932ca9f29faf4ce1c7dac89583e8b61c

Score

10^/10

trickbot jim666 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000497

Botnet

jim666

C2

5.182.210.226:443

5.182.210.246:443

82.146.62.52:443

198.8.91.10:443

195.123.221.53:443

51.89.115.116:443

164.68.120.56:443

85.204.116.237:443

5.2.75.167:443

93.189.42.146:443

185.252.144.174:443

81.177.165.145:443

217.107.34.151:443

146.185.219.165:443

194.87.238.87:443

146.185.253.18:443

194.5.250.155:443

195.123.216.223:443

185.99.2.160:443

5.182.210.230:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4040-3-0x00000000021D0000-0x0000000002200000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe

pid process

3300 92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org

pid	process
3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe

flow	ioc
7	api.ipify.org

Modifies data under HKEY_USERS 42 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 3576 svchost.exe

description	pid	process
Token: SeTcbPrivilege	3576	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe

pid	process
4040	92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe
4040	92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe
3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe
3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe

description	pid	process	target process
PID 4040 wrote to memory of 3512	4040	92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe	svchost.exe
PID 4040 wrote to memory of 3512	4040	92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe	svchost.exe
PID 4040 wrote to memory of 3512	4040	92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe	svchost.exe
PID 4040 wrote to memory of 3512	4040	92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe	svchost.exe
PID 3300 wrote to memory of 3576	3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe	svchost.exe
PID 3300 wrote to memory of 3576	3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe	svchost.exe
PID 3300 wrote to memory of 3576	3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe	svchost.exe
PID 3300 wrote to memory of 3576	3300	92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe
"C:\Users\Admin\AppData\Local\Temp\92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3512

C:\Users\Admin\AppData\Roaming\windirect\92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe
C:\Users\Admin\AppData\Roaming\windirect\92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\windirect\92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe
MD5
ae63426b87d82a8944dae4dc588599a8

SHA1
0fb0a2f879ce84d50fc2ac5defc7f767155da9f9

SHA256
92c49cd55fdca695e13db05e4b1b8eea0587420beca80aad4dd8dd4c402f5e16

SHA512
4ae1b745438803385b49f06a872bc8332f09d02a872a280422c30f6d78e7e761ff094eee5141b1fba78640b30111e675932ca9f29faf4ce1c7dac89583e8b61c

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\92c29cd33ddca493c13db03c2b1b8cca0387220bcca80aad2dd8dd2c202d3c14.exe
MD5
82543664bb5e5ed79dbe0102dba62fe1

SHA1
943e726f0a6cbf27319b7e65dd6434ebf451d589

SHA256
8822eb2d8b537d4cd8303a933b291f4860c81d1bca939887d3677cd7d956bb19

SHA512
cdc7a050bd71b73690b8a05d8fd8b8d132b3eda5c30bdba030ffa79d34cd3a3e3ce6a0d61d48dbb06f92ff53bc620cfa6653f45269b642dc5b2126a3cf23362c

Download Submit
memory/4040-3-0x00000000021D0000-0x0000000002200000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads