trickbot | 852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

General

Target

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
Size

877KB
MD5

10e016270a6ac608389ad0c77ed522bf
SHA1

26b0d47d5fadea36f909fd5576e51e5f3227735d
SHA256

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830
SHA512

887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Score

10^/10

trickbot trgt98888 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000479

Botnet

trgt98888

C2

192.3.104.46:443

23.94.233.210:443

172.82.152.126:443

192.3.247.11:443

202.29.215.114:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3916-120-0x0000000002290000-0x00000000022BD000-memory.dmp	trickbot_loader32
behavioral2/memory/3916-122-0x0000000002260000-0x000000000228C000-memory.dmp	trickbot_loader32
behavioral2/memory/1296-130-0x0000000000600000-0x000000000074A000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

있서래처길모고른든.exe있서래처길모고른든.exe

pid process

3916 있서래처길모고른든.exe
1296 있서래처길모고른든.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 376 svchost.exe

pid	process
3916	있서래처길모고른든.exe
1296	있서래처길모고른든.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

description	pid	process
Token: SeTcbPrivilege	376	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe있서래처길모고른든.exe있서래처길모고른든.exe

pid	process
1908	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
1908	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
3916	있서래처길모고른든.exe
3916	있서래처길모고른든.exe
1296	있서래처길모고른든.exe
1296	있서래처길모고른든.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe있서래처길모고른든.exe있서래처길모고른든.exe

description	pid	process	target process
PID 1908 wrote to memory of 3916	1908	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 1908 wrote to memory of 3916	1908	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 1908 wrote to memory of 3916	1908	852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe	있서래처길모고른든.exe
PID 3916 wrote to memory of 60	3916	있서래처길모고른든.exe	svchost.exe
PID 3916 wrote to memory of 60	3916	있서래처길모고른든.exe	svchost.exe
PID 3916 wrote to memory of 60	3916	있서래처길모고른든.exe	svchost.exe
PID 3916 wrote to memory of 60	3916	있서래처길모고른든.exe	svchost.exe
PID 1296 wrote to memory of 376	1296	있서래처길모고른든.exe	svchost.exe
PID 1296 wrote to memory of 376	1296	있서래처길모고른든.exe	svchost.exe
PID 1296 wrote to memory of 376	1296	있서래처길모고른든.exe	svchost.exe
PID 1296 wrote to memory of 376	1296	있서래처길모고른든.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe
"C:\Users\Admin\AppData\Local\Temp\852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\ProgramData\있서래처길모고른든.exe
"C:\ProgramData\있서래처길모고른든.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:60

C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
C:\ProgramData\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
C:\Users\Admin\AppData\Roaming\NuiGet\있서래처길모고른든.exe
MD5
10e016270a6ac608389ad0c77ed522bf

SHA1
26b0d47d5fadea36f909fd5576e51e5f3227735d

SHA256
852354e2ebd9c57e10adefe64d13f81a106381b849e55575b340cd79d3369830

SHA512
887599afd631c1c000002077a4a24de4f8e98a60900d0a1a9f82e4030c9a09c686306dba92094ca99369105f3a751aad3dba8a19686106a3984840c8dbdea76b

Download Submit
memory/60-125-0x000001C2D6D10000-0x000001C2D6D2E000-memory.dmp

Filesize
120KB

Download
memory/376-133-0x000001733BFA0000-0x000001733BFBE000-memory.dmp

Filesize
120KB

Download
memory/1296-130-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3916-120-0x0000000002290000-0x00000000022BD000-memory.dmp

Filesize
180KB

Download
memory/3916-122-0x0000000002260000-0x000000000228C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads