trickbot | 989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

General

Target

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
Size

977KB
MD5

224e89cd4b5c4f8fdf2cff1c4dfe42e2
SHA1

c7371ce37c57a8725ddf4d551ecdbae8b097e638
SHA256

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534
SHA512

36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Score

10^/10

trickbot trgeu1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000475

Botnet

trgeu1

C2

45.80.148.30:443

194.5.250.83:443

185.222.202.223:443

66.55.71.11:443

94.156.144.3:443

185.244.150.142:443

194.5.250.82:443

31.184.253.37:443

109.234.34.135:443

45.66.11.116:443

185.222.202.222:443

46.30.41.229:443

45.142.213.58:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

85.11.116.194:449

177.103.240.149:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1908-126-0x0000000002150000-0x000000000217E000-memory.dmp	trickbot_loader32
behavioral2/memory/1524-142-0x0000000000D50000-0x0000000000D7C000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

вгббН.exeооиаа.exeвгббН.exe

pid process

1908 вгббН.exe
656 ооиаа.exe
1524 вгббН.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 748 svchost.exe

pid	process
1908	вгббН.exe
656	ооиаа.exe
1524	вгббН.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

description	pid	process
Token: SeTcbPrivilege	748	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exeвгббН.exeвгббН.exe

pid	process
3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
1908	вгббН.exe
1908	вгббН.exe
1524	вгббН.exe
1524	вгббН.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exeвгббН.exeвгббН.exe

description	pid	process	target process
PID 3532 wrote to memory of 1908	3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 3532 wrote to memory of 1908	3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 3532 wrote to memory of 1908	3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	вгббН.exe
PID 3532 wrote to memory of 656	3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 3532 wrote to memory of 656	3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 3532 wrote to memory of 656	3532	989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe	ооиаа.exe
PID 1908 wrote to memory of 3588	1908	вгббН.exe	svchost.exe
PID 1908 wrote to memory of 3588	1908	вгббН.exe	svchost.exe
PID 1908 wrote to memory of 3588	1908	вгббН.exe	svchost.exe
PID 1908 wrote to memory of 3588	1908	вгббН.exe	svchost.exe
PID 1524 wrote to memory of 748	1524	вгббН.exe	svchost.exe
PID 1524 wrote to memory of 748	1524	вгббН.exe	svchost.exe
PID 1524 wrote to memory of 748	1524	вгббН.exe	svchost.exe
PID 1524 wrote to memory of 748	1524	вгббН.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe
"C:\Users\Admin\AppData\Local\Temp\989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532

C:\ProgramData\вгббН.exe
"C:\ProgramData\вгббН.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3588

C:\ProgramData\ооиаа.exe
"C:\ProgramData\ооиаа.exe"
2⤵
- Executes dropped EXE
PID:656

C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
C:\ProgramData\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
C:\ProgramData\ооиаа.exe
MD5
2c24eaad1af80b2320c8eca59208b9e3

SHA1
354a2eb38a26dc7b035b439385a572b5f7ec72ed

SHA256
295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c

SHA512
b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519

Download Submit
C:\ProgramData\ооиаа.exe
MD5
2c24eaad1af80b2320c8eca59208b9e3

SHA1
354a2eb38a26dc7b035b439385a572b5f7ec72ed

SHA256
295238ae29bd534c46e1b8c65d0a7ef172d033e370024aea064cbd98b9e33c9c

SHA512
b6bb8be3607927aea914d33ad3cec14b945a98b5d13cfb2bffe99b80ed8103c3e4df9bade45c5704e0be64ed2158292e98eea067cd21132539b9ca7ececf2519

Download Submit
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
C:\Users\Admin\AppData\Roaming\HomeLan\вгббН.exe
MD5
224e89cd4b5c4f8fdf2cff1c4dfe42e2

SHA1
c7371ce37c57a8725ddf4d551ecdbae8b097e638

SHA256
989109101e065aaa1e86b67a3f4629229047ce2c5bf39da53f775e54ee888534

SHA512
36e5d09662a70dd123d02af8124376aaf4c91cc58b7bd9b1f0b5e3c9cc4ba25965ccc906264efe518593f76476a6828531dd911dfa80b631d80cc9b6af8c39bc

Download Submit
memory/656-130-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/656-131-0x0000000005280000-0x000000000577E000-memory.dmp

Filesize
5.0MB

Download
memory/656-132-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/656-133-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/656-134-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/748-147-0x0000016B9EC90000-0x0000016B9ECAE000-memory.dmp

Filesize
120KB

Download
memory/1524-142-0x0000000000D50000-0x0000000000D7C000-memory.dmp

Filesize
176KB

Download
memory/1908-129-0x0000000000720000-0x0000000002143000-memory.dmp

Filesize
26.1MB

Download
memory/1908-126-0x0000000002150000-0x000000000217E000-memory.dmp

Filesize
184KB

Download
memory/3588-137-0x000001C9936B0000-0x000001C9936CE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads