trickbot | 74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

General

Target

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
Size

611KB
MD5

69a643800f737f841917023ae7ee9b34
SHA1

effda16b763f8d6fd4f2baf7779367eabf9678ec
SHA256

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca
SHA512

543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Score

10^/10

trickbot trg8989 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000477

Botnet

trg8989

C2

37.44.212.148:443

185.65.202.127:443

193.37.212.246:443

193.124.191.243:443

31.148.99.63:443

94.103.91.61:443

203.23.128.179:443

179.43.147.72:443

93.123.73.192:443

51.89.115.120:443

144.91.76.214:443

46.21.153.81:443

194.5.250.98:443

190.154.203.218:449

178.183.150.169:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

85.11.116.194:449

177.103.240.149:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1112-60-0x00000000002F0000-0x000000000031D000-memory.dmp	trickbot_loader32
behavioral1/memory/1112-62-0x0000000000230000-0x000000000025C000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

لحلحرطلرطلتداك.exeلحلحرطلرطلتداك.exe

pid process

1112 لحلحرطلرطلتداك.exe
1056 لحلحرطلرطلتداك.exe

pid	process
1112	لحلحرطلرطلتداك.exe
1056	لحلحرطلرطلتداك.exe

Loads dropped DLL 2 IoCs

Processes:

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe

pid	process
1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1556 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1556	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exeلحلحرطلرطلتداك.exeلحلحرطلرطلتداك.exe

pid	process
1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
1112	لحلحرطلرطلتداك.exe
1112	لحلحرطلرطلتداك.exe
1056	لحلحرطلرطلتداك.exe
1056	لحلحرطلرطلتداك.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exeلحلحرطلرطلتداك.exetaskeng.exeلحلحرطلرطلتداك.exe

description	pid	process	target process
PID 1788 wrote to memory of 1112	1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 1788 wrote to memory of 1112	1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 1788 wrote to memory of 1112	1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 1788 wrote to memory of 1112	1788	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 1112 wrote to memory of 940	1112	لحلحرطلرطلتداك.exe	svchost.exe
PID 1112 wrote to memory of 940	1112	لحلحرطلرطلتداك.exe	svchost.exe
PID 1112 wrote to memory of 940	1112	لحلحرطلرطلتداك.exe	svchost.exe
PID 1112 wrote to memory of 940	1112	لحلحرطلرطلتداك.exe	svchost.exe
PID 1112 wrote to memory of 940	1112	لحلحرطلرطلتداك.exe	svchost.exe
PID 1112 wrote to memory of 940	1112	لحلحرطلرطلتداك.exe	svchost.exe
PID 900 wrote to memory of 1056	900	taskeng.exe	لحلحرطلرطلتداك.exe
PID 900 wrote to memory of 1056	900	taskeng.exe	لحلحرطلرطلتداك.exe
PID 900 wrote to memory of 1056	900	taskeng.exe	لحلحرطلرطلتداك.exe
PID 900 wrote to memory of 1056	900	taskeng.exe	لحلحرطلرطلتداك.exe
PID 1056 wrote to memory of 1556	1056	لحلحرطلرطلتداك.exe	svchost.exe
PID 1056 wrote to memory of 1556	1056	لحلحرطلرطلتداك.exe	svchost.exe
PID 1056 wrote to memory of 1556	1056	لحلحرطلرطلتداك.exe	svchost.exe
PID 1056 wrote to memory of 1556	1056	لحلحرطلرطلتداك.exe	svchost.exe
PID 1056 wrote to memory of 1556	1056	لحلحرطلرطلتداك.exe	svchost.exe
PID 1056 wrote to memory of 1556	1056	لحلحرطلرطلتداك.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
"C:\Users\Admin\AppData\Local\Temp\74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\ProgramData\لحلحرطلرطلتداك.exe
"C:\ProgramData\لحلحرطلرطلتداك.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:940

C:\Windows\system32\taskeng.exe
taskeng.exe {1E8B92DC-78AF-47F3-8367-2B77A62167FB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\HttpService\لحلحرطلرطلتداك.exe
C:\Users\Admin\AppData\Roaming\HttpService\لحلحرطلرطلتداك.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
C:\ProgramData\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
C:\Users\Admin\AppData\Roaming\HttpService\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
C:\Users\Admin\AppData\Roaming\HttpService\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
\ProgramData\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
\ProgramData\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
memory/940-63-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1112-60-0x00000000002F0000-0x000000000031D000-memory.dmp

Filesize
180KB

Download
memory/1112-62-0x0000000000230000-0x000000000025C000-memory.dmp

Filesize
176KB

Download
memory/1556-69-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1788-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads