trickbot | ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

General

Target

ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe
Size

981KB
MD5

959f6e21eddb767364245c1e1ea41aa7
SHA1

23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6
SHA256

ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d
SHA512

6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Score

10^/10

trickbot trg88889 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000477

Botnet

trg88889

C2

37.44.212.148:443

185.65.202.127:443

193.37.212.246:443

193.124.191.243:443

31.148.99.63:443

94.103.91.61:443

203.23.128.179:443

179.43.147.72:443

93.123.73.192:443

51.89.115.120:443

144.91.76.214:443

46.21.153.81:443

194.5.250.98:443

190.154.203.218:449

178.183.150.169:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

85.11.116.194:449

177.103.240.149:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2044-61-0x0000000000270000-0x000000000029E000-memory.dmp	trickbot_loader32
behavioral1/memory/2044-63-0x0000000000240000-0x000000000026C000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

すすのは抱べも私.exeすすのは抱べも私.exe

pid process

2044 すすのは抱べも私.exe
1188 すすのは抱べも私.exe

pid	process
2044	すすのは抱べも私.exe
1188	すすのは抱べも私.exe

Loads dropped DLL 2 IoCs

Processes:

ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe

pid	process
1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe
1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 828 svchost.exe

description	pid	process
Token: SeTcbPrivilege	828	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exeすすのは抱べも私.exeすすのは抱べも私.exe

pid	process
1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe
1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe
2044	すすのは抱べも私.exe
2044	すすのは抱べも私.exe
1188	すすのは抱べも私.exe
1188	すすのは抱べも私.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exeすすのは抱べも私.exetaskeng.exeすすのは抱べも私.exe

description	pid	process	target process
PID 1416 wrote to memory of 2044	1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe	すすのは抱べも私.exe
PID 1416 wrote to memory of 2044	1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe	すすのは抱べも私.exe
PID 1416 wrote to memory of 2044	1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe	すすのは抱べも私.exe
PID 1416 wrote to memory of 2044	1416	ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe	すすのは抱べも私.exe
PID 2044 wrote to memory of 1348	2044	すすのは抱べも私.exe	svchost.exe
PID 2044 wrote to memory of 1348	2044	すすのは抱べも私.exe	svchost.exe
PID 2044 wrote to memory of 1348	2044	すすのは抱べも私.exe	svchost.exe
PID 2044 wrote to memory of 1348	2044	すすのは抱べも私.exe	svchost.exe
PID 2044 wrote to memory of 1348	2044	すすのは抱べも私.exe	svchost.exe
PID 2044 wrote to memory of 1348	2044	すすのは抱べも私.exe	svchost.exe
PID 948 wrote to memory of 1188	948	taskeng.exe	すすのは抱べも私.exe
PID 948 wrote to memory of 1188	948	taskeng.exe	すすのは抱べも私.exe
PID 948 wrote to memory of 1188	948	taskeng.exe	すすのは抱べも私.exe
PID 948 wrote to memory of 1188	948	taskeng.exe	すすのは抱べも私.exe
PID 1188 wrote to memory of 828	1188	すすのは抱べも私.exe	svchost.exe
PID 1188 wrote to memory of 828	1188	すすのは抱べも私.exe	svchost.exe
PID 1188 wrote to memory of 828	1188	すすのは抱べも私.exe	svchost.exe
PID 1188 wrote to memory of 828	1188	すすのは抱べも私.exe	svchost.exe
PID 1188 wrote to memory of 828	1188	すすのは抱べも私.exe	svchost.exe
PID 1188 wrote to memory of 828	1188	すすのは抱べも私.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe
"C:\Users\Admin\AppData\Local\Temp\ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\ProgramData\すすのは抱べも私.exe
  "C:\ProgramData\すすのは抱べも私.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1348

C:\Windows\system32\taskeng.exe
taskeng.exe {A37F747F-5D22-47C9-AD5E-AD5E240B28D2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exe
  C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\すすのは抱べも私.exe

MD5
959f6e21eddb767364245c1e1ea41aa7

SHA1
23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6

SHA256
ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

SHA512
6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Download Submit
C:\ProgramData\すすのは抱べも私.exe

MD5
959f6e21eddb767364245c1e1ea41aa7

SHA1
23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6

SHA256
ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

SHA512
6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Download Submit
C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exe

MD5
959f6e21eddb767364245c1e1ea41aa7

SHA1
23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6

SHA256
ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

SHA512
6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Download Submit
C:\Users\Admin\AppData\Roaming\HttpService\すすのは抱べも私.exe

MD5
959f6e21eddb767364245c1e1ea41aa7

SHA1
23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6

SHA256
ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

SHA512
6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Download Submit
\ProgramData\すすのは抱べも私.exe

MD5
959f6e21eddb767364245c1e1ea41aa7

SHA1
23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6

SHA256
ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

SHA512
6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Download Submit
\ProgramData\すすのは抱べも私.exe

MD5
959f6e21eddb767364245c1e1ea41aa7

SHA1
23e5e8d180d8d7bfaf9cf469aa104ab0ce6a5ee6

SHA256
ce6acf274744f0f200528105f3beead449d07197eb1e66b43a2616168e0b4d8d

SHA512
6629870467a5dc2f2e6cb76852b9c8f79d8205ae144322737aea23381e50ca694b74959198ece04b6d00396296d983ba87aed52ca372d47fb55e977f694c0d80

Download Submit
memory/828-72-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1188-71-0x0000000000910000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1348-65-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1416-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2044-61-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/2044-63-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads