trickbot | 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

Analysis

max time kernel
118s
max time network
131s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
Size

977KB
MD5

224e89cd4b5c4f8fdf2cff1c4dfe42e2
SHA1

c7371ce37c57a8725ddf4d551ecdbae8b097e638
SHA256

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
SHA512

36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Score

10^/10

trickbot trgeu1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000475

Botnet

trgeu1

45.80.148.30:443

194.5.250.83:443

185.222.202.223:443

66.55.71.11:443

94.156.144.3:443

185.244.150.142:443

194.5.250.82:443

31.184.253.37:443

109.234.34.135:443

45.66.11.116:443

185.222.202.222:443

46.30.41.229:443

45.142.213.58:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

85.11.116.194:449

177.103.240.149:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/584-66-0x00000000003D0000-0x00000000003FC000-memory.dmp	trickbot_loader32
behavioral1/memory/756-74-0x00000000008E0000-0x000000000090E000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

вгббН.exeооиаа.exeвгббН.exe

pid process

584 вгббН.exe
268 ооиаа.exe
756 вгббН.exe

pid	process
584	вгббН.exe
268	ооиаа.exe
756	вгббН.exe

Loads dropped DLL 3 IoCs

Processes:

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe

pid	process
1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1004 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1004	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exeвгббН.exeвгббН.exe

pid	process
1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
584	вгббН.exe
584	вгббН.exe
756	вгббН.exe
756	вгббН.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exeвгббН.exetaskeng.exeвгббН.exe

description	pid	process	target process
PID 1164 wrote to memory of 584	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 1164 wrote to memory of 584	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 1164 wrote to memory of 584	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 1164 wrote to memory of 584	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 1164 wrote to memory of 268	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 1164 wrote to memory of 268	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 1164 wrote to memory of 268	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 1164 wrote to memory of 268	1164	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 584 wrote to memory of 636	584	вгббН.exe	svchost.exe
PID 584 wrote to memory of 636	584	вгббН.exe	svchost.exe
PID 584 wrote to memory of 636	584	вгббН.exe	svchost.exe
PID 584 wrote to memory of 636	584	вгббН.exe	svchost.exe
PID 584 wrote to memory of 636	584	вгббН.exe	svchost.exe
PID 584 wrote to memory of 636	584	вгббН.exe	svchost.exe
PID 1500 wrote to memory of 756	1500	taskeng.exe	вгббН.exe
PID 1500 wrote to memory of 756	1500	taskeng.exe	вгббН.exe
PID 1500 wrote to memory of 756	1500	taskeng.exe	вгббН.exe
PID 1500 wrote to memory of 756	1500	taskeng.exe	вгббН.exe
PID 756 wrote to memory of 1004	756	вгббН.exe	svchost.exe
PID 756 wrote to memory of 1004	756	вгббН.exe	svchost.exe
PID 756 wrote to memory of 1004	756	вгббН.exe	svchost.exe
PID 756 wrote to memory of 1004	756	вгббН.exe	svchost.exe
PID 756 wrote to memory of 1004	756	вгббН.exe	svchost.exe
PID 756 wrote to memory of 1004	756	вгббН.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
"C:\Users\Admin\AppData\Local\Temp\989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\ProgramData\вгббН.exe
"C:\ProgramData\вгббН.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:636

C:\ProgramData\ооиаа.exe
"C:\ProgramData\ооиаа.exe"
2⤵
- Executes dropped EXE
PID:268

C:\Windows\system32\taskeng.exe
taskeng.exe {A77B7431-BEAE-43B4-9E41-5BE72E45F3D5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
C:\ProgramData\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
C:\ProgramData\ооиаа.exe
MD5
2c24eaad1af80b2320c8eca59208b9e3

SHA1
354a2eb38a26dc7b035b439385a572b5f7ec72ed

SHA256
295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c

SHA512
b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519

Download Submit
C:\ProgramData\ооиаа.exe
MD5
2c24eaad1af80b2320c8eca59208b9e3

SHA1
354a2eb38a26dc7b035b439385a572b5f7ec72ed

SHA256
295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c

SHA512
b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519

Download Submit
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
\ProgramData\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
\ProgramData\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
\ProgramData\ооиаа.exe
MD5
2c24eaad1af80b2320c8eca59208b9e3

SHA1
354a2eb38a26dc7b035b439385a572b5f7ec72ed

SHA256
295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c

SHA512
b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519

Download Submit
memory/268-67-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/268-69-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/584-66-0x00000000003D0000-0x00000000003FC000-memory.dmp

Filesize
176KB

Download
memory/636-70-0x00000000000F0000-0x000000000010E000-memory.dmp

Filesize
120KB

Download
memory/756-74-0x00000000008E0000-0x000000000090E000-memory.dmp

Filesize
184KB

Download
memory/1004-76-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1164-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads