trickbot | 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

General

Target

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
Size

877KB
MD5

10e016270a6ac608389ad0c77ed522bf
SHA1

26b0d47d5fadea36f909fd5576e51e5f3227735d
SHA256

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
SHA512

887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Score

10^/10

trickbot trgt98888 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000479

Botnet

trgt98888

C2

192.3.104.46:443

23.94.233.210:443

172.82.152.126:443

192.3.247.11:443

202.29.215.114:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/760-61-0x0000000000290000-0x00000000002BD000-memory.dmp	trickbot_loader32
behavioral1/memory/760-63-0x00000000001D0000-0x00000000001FC000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

있서래처길모고른든.exe있서래처길모고른든.exe

pid process

760 있서래처길모고른든.exe
1520 있서래처길모고른든.exe

pid	process
760	있서래처길모고른든.exe
1520	있서래처길모고른든.exe

Loads dropped DLL 2 IoCs

Processes:

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe

pid	process
1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1740 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1740	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe있서래처길모고른든.exe있서래처길모고른든.exe

pid	process
1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
760	있서래처길모고른든.exe
760	있서래처길모고른든.exe
1520	있서래처길모고른든.exe
1520	있서래처길모고른든.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe있서래처길모고른든.exetaskeng.exe있서래처길모고른든.exe

description	pid	process	target process
PID 1472 wrote to memory of 760	1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 1472 wrote to memory of 760	1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 1472 wrote to memory of 760	1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 1472 wrote to memory of 760	1472	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 760 wrote to memory of 1944	760	있서래처길모고른든.exe	svchost.exe
PID 760 wrote to memory of 1944	760	있서래처길모고른든.exe	svchost.exe
PID 760 wrote to memory of 1944	760	있서래처길모고른든.exe	svchost.exe
PID 760 wrote to memory of 1944	760	있서래처길모고른든.exe	svchost.exe
PID 760 wrote to memory of 1944	760	있서래처길모고른든.exe	svchost.exe
PID 760 wrote to memory of 1944	760	있서래처길모고른든.exe	svchost.exe
PID 924 wrote to memory of 1520	924	taskeng.exe	있서래처길모고른든.exe
PID 924 wrote to memory of 1520	924	taskeng.exe	있서래처길모고른든.exe
PID 924 wrote to memory of 1520	924	taskeng.exe	있서래처길모고른든.exe
PID 924 wrote to memory of 1520	924	taskeng.exe	있서래처길모고른든.exe
PID 1520 wrote to memory of 1740	1520	있서래처길모고른든.exe	svchost.exe
PID 1520 wrote to memory of 1740	1520	있서래처길모고른든.exe	svchost.exe
PID 1520 wrote to memory of 1740	1520	있서래처길모고른든.exe	svchost.exe
PID 1520 wrote to memory of 1740	1520	있서래처길모고른든.exe	svchost.exe
PID 1520 wrote to memory of 1740	1520	있서래처길모고른든.exe	svchost.exe
PID 1520 wrote to memory of 1740	1520	있서래처길모고른든.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
"C:\Users\Admin\AppData\Local\Temp\852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\ProgramData\있서래처길모고른든.exe
"C:\ProgramData\있서래처길모고른든.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1944

C:\Windows\system32\taskeng.exe
taskeng.exe {189E5A61-5CBA-42FB-9B5A-C8737DDA7879} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
C:\ProgramData\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
\ProgramData\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
\ProgramData\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
memory/760-61-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/760-63-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/1472-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1740-70-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1944-64-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads