trickbot | cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a

General

Target

2c6d087d1e69ec2addf164ae93114683.exe
Size

976KB
MD5

f09196398ba23dcecb1310d1bd8d9803
SHA1

13e6c1a9aeb310920534cae9bdee7d2414ac1240
SHA256

cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a
SHA512

3e378df3521fb528030ec3afb311afd1dc2d7879fbd796c31b5c1381a966bdfd2586b821133f62ead2eb6f136fba8c209b39349357d32104f5470c32f30a5155

Score

10^/10

trickbot lib661 banker dave trojan

Malware Config

Extracted

Family

trickbot

Version

1000497

Botnet

lib661

C2

5.182.210.226:443

5.182.210.246:443

82.146.62.52:443

198.8.91.10:443

195.123.221.53:443

51.89.115.116:443

164.68.120.56:443

85.204.116.237:443

5.2.75.167:443

93.189.42.146:443

185.252.144.174:443

81.177.165.145:443

217.107.34.151:443

146.185.219.165:443

194.87.238.87:443

146.185.253.18:443

194.5.250.155:443

195.123.216.223:443

185.99.2.160:443

5.182.210.230:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/756-0-0x0000000002430000-0x0000000002463000-memory.dmp	trickbot_loader32
behavioral2/memory/4024-4-0x00000000022C0000-0x00000000022F3000-memory.dmp	trickbot_loader32
behavioral2/memory/4024-5-0x0000000002340000-0x0000000002371000-memory.dmp	trickbot_loader32
behavioral2/memory/2792-9-0x0000000002310000-0x0000000002343000-memory.dmp	trickbot_loader32
behavioral2/memory/728-14-0x0000000000E90000-0x0000000000EC3000-memory.dmp	trickbot_loader32

Dave packer 4 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
behavioral2/memory/756-0-0x0000000002430000-0x0000000002463000-memory.dmp	dave
behavioral2/memory/4024-4-0x00000000022C0000-0x00000000022F3000-memory.dmp	dave
behavioral2/memory/2792-9-0x0000000002310000-0x0000000002343000-memory.dmp	dave
behavioral2/memory/728-14-0x0000000000E90000-0x0000000000EC3000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

ԳայլըсԳայլըПФрКЕыԳայլըаго.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exe

pid	process
4024	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
2792	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ԳայլըсԳայլըПФрКЕыԳայլըаго.exe

description pid process

Token: SeTcbPrivilege 728 ԳայլըсԳայլըПФрКЕыԳայլըаго.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

description	pid	process
Token: SeTcbPrivilege	728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

2c6d087d1e69ec2addf164ae93114683.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exe

pid	process
756	2c6d087d1e69ec2addf164ae93114683.exe
4024	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
2792	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2c6d087d1e69ec2addf164ae93114683.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exeԳայլըсԳայլըПФрКЕыԳայլըаго.exe

description	pid	process	target process
PID 756 wrote to memory of 4024	756	2c6d087d1e69ec2addf164ae93114683.exe	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
PID 756 wrote to memory of 4024	756	2c6d087d1e69ec2addf164ae93114683.exe	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
PID 756 wrote to memory of 4024	756	2c6d087d1e69ec2addf164ae93114683.exe	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
PID 4024 wrote to memory of 2792	4024	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
PID 4024 wrote to memory of 2792	4024	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
PID 4024 wrote to memory of 2792	4024	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
PID 2792 wrote to memory of 216	2792	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 2792 wrote to memory of 216	2792	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 2792 wrote to memory of 216	2792	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 2792 wrote to memory of 216	2792	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 728 wrote to memory of 3108	728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 728 wrote to memory of 3108	728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 728 wrote to memory of 3108	728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe
PID 728 wrote to memory of 3108	728	ԳայլըсԳայլըПФрКЕыԳայլըаго.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2c6d087d1e69ec2addf164ae93114683.exe
"C:\Users\Admin\AppData\Local\Temp\2c6d087d1e69ec2addf164ae93114683.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
"C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:216

C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies data under HKEY_USERS
PID:3108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
MD5
f09196398ba23dcecb1310d1bd8d9803

SHA1
13e6c1a9aeb310920534cae9bdee7d2414ac1240

SHA256
cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a

SHA512
3e378df3521fb528030ec3afb311afd1dc2d7879fbd796c31b5c1381a966bdfd2586b821133f62ead2eb6f136fba8c209b39349357d32104f5470c32f30a5155

Download Submit
C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
MD5
f09196398ba23dcecb1310d1bd8d9803

SHA1
13e6c1a9aeb310920534cae9bdee7d2414ac1240

SHA256
cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a

SHA512
3e378df3521fb528030ec3afb311afd1dc2d7879fbd796c31b5c1381a966bdfd2586b821133f62ead2eb6f136fba8c209b39349357d32104f5470c32f30a5155

Download Submit
C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
MD5
f09196398ba23dcecb1310d1bd8d9803

SHA1
13e6c1a9aeb310920534cae9bdee7d2414ac1240

SHA256
cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a

SHA512
3e378df3521fb528030ec3afb311afd1dc2d7879fbd796c31b5c1381a966bdfd2586b821133f62ead2eb6f136fba8c209b39349357d32104f5470c32f30a5155

Download Submit
C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
MD5
f09196398ba23dcecb1310d1bd8d9803

SHA1
13e6c1a9aeb310920534cae9bdee7d2414ac1240

SHA256
cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a

SHA512
3e378df3521fb528030ec3afb311afd1dc2d7879fbd796c31b5c1381a966bdfd2586b821133f62ead2eb6f136fba8c209b39349357d32104f5470c32f30a5155

Download Submit
C:\Users\Admin\AppData\Roaming\netwinlib\ԳայլըсԳայլըПФрКЕыԳայլըаго.exe
MD5
f09196398ba23dcecb1310d1bd8d9803

SHA1
13e6c1a9aeb310920534cae9bdee7d2414ac1240

SHA256
cd5a158e8108ac8d7621fd3c5e5acfbd8a894a7f3128558d4c120e1d6c3d359a

SHA512
3e378df3521fb528030ec3afb311afd1dc2d7879fbd796c31b5c1381a966bdfd2586b821133f62ead2eb6f136fba8c209b39349357d32104f5470c32f30a5155

Download Submit
memory/216-11-0x0000000000000000-mapping.dmp

Download
memory/728-14-0x0000000000E90000-0x0000000000EC3000-memory.dmp

Filesize
204KB

Download
memory/756-0-0x0000000002430000-0x0000000002463000-memory.dmp

Filesize
204KB

Download
memory/2792-6-0x0000000000000000-mapping.dmp

Download
memory/2792-9-0x0000000002310000-0x0000000002343000-memory.dmp

Filesize
204KB

Download
memory/3108-16-0x0000000000000000-mapping.dmp

Download
memory/4024-5-0x0000000002340000-0x0000000002371000-memory.dmp

Filesize
196KB

Download
memory/4024-4-0x00000000022C0000-0x00000000022F3000-memory.dmp

Filesize
204KB

Download
memory/4024-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads