trickbot | 696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

General

Target

radiance.png.pellet.exe
Size

532KB
MD5

e8a28a5d13c44e81779b7f499224e5bf
SHA1

52cd0f52e9fab839fac42dd69a1c52aa9b9885f8
SHA256

696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
SHA512

fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Score

10^/10

trickbot tot352 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000298

Botnet

tot352

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

188.68.209.153:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2028-2-0x0000000001E50000-0x0000000001E90000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

sadiance.png.pellet.exe

pid process

1708 sadiance.png.pellet.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489
Loads dropped DLL 2 IoCs

Processes:

radiance.png.pellet.exe

pid process

2028 radiance.png.pellet.exe
2028 radiance.png.pellet.exe

pid	process
1708	sadiance.png.pellet.exe

pid	process
2028	radiance.png.pellet.exe
2028	radiance.png.pellet.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

radiance.png.pellet.exepowershell.exe

pid process

2028 radiance.png.pellet.exe
2028 radiance.png.pellet.exe
2028 radiance.png.pellet.exe
748 powershell.exe
748 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 748 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

radiance.png.pellet.exesadiance.png.pellet.exe

pid process

2028 radiance.png.pellet.exe
1708 sadiance.png.pellet.exe

pid	process
2028	radiance.png.pellet.exe
2028	radiance.png.pellet.exe
2028	radiance.png.pellet.exe
748	powershell.exe
748	powershell.exe

description	pid	process
Token: SeDebugPrivilege	748	powershell.exe

pid	process
2028	radiance.png.pellet.exe
1708	sadiance.png.pellet.exe

Suspicious use of WriteProcessMemory 692 IoCs

Processes:

radiance.png.pellet.execmd.execmd.execmd.exesadiance.png.pellet.exe

description	pid	process	target process
PID 2028 wrote to memory of 1448	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1448	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1448	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1448	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1184	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1184	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1184	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1184	2028	radiance.png.pellet.exe	cmd.exe
PID 1448 wrote to memory of 1748	1448	cmd.exe	sc.exe
PID 1184 wrote to memory of 1796	1184	cmd.exe	sc.exe
PID 1184 wrote to memory of 1796	1184	cmd.exe	sc.exe
PID 1448 wrote to memory of 1748	1448	cmd.exe	sc.exe
PID 1184 wrote to memory of 1796	1184	cmd.exe	sc.exe
PID 1448 wrote to memory of 1748	1448	cmd.exe	sc.exe
PID 1184 wrote to memory of 1796	1184	cmd.exe	sc.exe
PID 1448 wrote to memory of 1748	1448	cmd.exe	sc.exe
PID 2028 wrote to memory of 1752	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1752	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1752	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1752	2028	radiance.png.pellet.exe	cmd.exe
PID 2028 wrote to memory of 1708	2028	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 2028 wrote to memory of 1708	2028	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 2028 wrote to memory of 1708	2028	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 2028 wrote to memory of 1708	2028	radiance.png.pellet.exe	sadiance.png.pellet.exe
PID 1752 wrote to memory of 748	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 748	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 748	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 748	1752	cmd.exe	powershell.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe
PID 1708 wrote to memory of 1840	1708	sadiance.png.pellet.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\radiance.png.pellet.exe
"C:\Users\Admin\AppData\Local\Temp\radiance.png.pellet.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

1

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
MD5
e8a28a5d13c44e81779b7f499224e5bf

SHA1
52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

SHA256
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

SHA512
fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Download Submit
\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
MD5
e8a28a5d13c44e81779b7f499224e5bf

SHA1
52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

SHA256
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

SHA512
fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Download Submit
\Users\Admin\AppData\Roaming\WINYS\sadiance.png.pellet.exe
MD5
e8a28a5d13c44e81779b7f499224e5bf

SHA1
52cd0f52e9fab839fac42dd69a1c52aa9b9885f8

SHA256
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85

SHA512
fd6db083f3b248bdaf51d62317c3d93d1bec9e777dcb815c5122e2fea4b8ab20b1cba2d1f13dd7f4e56b648efdff57cbb434cd4289adfe3aed7074e9fe3ef835

Download Submit
memory/748-49-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/748-65-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/748-50-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/748-29-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/748-28-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/748-25-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/748-33-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/748-64-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/748-36-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/748-32-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/748-41-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/748-20-0x0000000000000000-mapping.dmp

Download
memory/748-42-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1184-4-0x0000000000000000-mapping.dmp

Download
memory/1448-3-0x0000000000000000-mapping.dmp

Download
memory/1708-17-0x0000000000000000-mapping.dmp

Download
memory/1708-30-0x00000000023D0000-0x00000000023D4000-memory.dmp

Filesize
16KB

Download
memory/1708-31-0x00000000026D0000-0x00000000026D4000-memory.dmp

Filesize
16KB

Download
memory/1748-12-0x0000000000000000-mapping.dmp

Download
memory/1752-14-0x0000000000000000-mapping.dmp

Download
memory/1796-11-0x0000000000000000-mapping.dmp

Download
memory/1840-24-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/1840-23-0x0000000000000000-mapping.dmp

Download
memory/2028-27-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/2028-26-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2028-2-0x0000000001E50000-0x0000000001E90000-memory.dmp

Filesize
256KB

Download
memory/2028-13-0x0000000003F60000-0x0000000003F71000-memory.dmp

Filesize
68KB

Download
memory/2028-7-0x0000000003F60000-0x0000000003F71000-memory.dmp

Filesize
68KB

Download
memory/2028-6-0x0000000004370000-0x0000000004381000-memory.dmp

Filesize
68KB

Download
memory/2028-5-0x0000000003F60000-0x0000000003F71000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads