trickbot | 13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6

General

Target

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Size

500KB
MD5

5d4a7c63fde057653ddd0cafd1d42f4f
SHA1

a00e355e1b1328e7198530a533a3db12a55cf384
SHA256

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6
SHA512

42e8e4ad1cca92576a5d51b9d3bed0321298454e4da70922cac91ee45ce778777bfb248cd84c273b083357f7f4555cd1f0dbbaffe76bb424f9f143d1cf453a80

Score

10^/10

trickbot trgt889 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000479

Botnet

trgt889

C2

192.3.104.46:443

23.94.233.210:443

172.82.152.126:443

192.3.247.11:443

202.29.215.114:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1624-55-0x0000000000510000-0x000000000053D000-memory.dmp	trickbot_loader32
behavioral1/memory/1624-57-0x00000000004E0000-0x000000000050C000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

pid process

928 13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

pid	process
928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

Modifies registry class 20 IoCs

Processes:

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\HTTPSE~1\\13D0A8~1.EXE"	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\13D0A8~1.EXE"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\ = "mfccalc.calculator"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ = "mfccalc.calculator"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1044 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1044	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

pid	process
1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exetaskeng.exe13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe

description	pid	process	target process
PID 1624 wrote to memory of 1204	1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 1624 wrote to memory of 1204	1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 1624 wrote to memory of 1204	1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 1624 wrote to memory of 1204	1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 1624 wrote to memory of 1204	1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 1624 wrote to memory of 1204	1624	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 1824 wrote to memory of 928	1824	taskeng.exe	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
PID 1824 wrote to memory of 928	1824	taskeng.exe	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
PID 1824 wrote to memory of 928	1824	taskeng.exe	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
PID 1824 wrote to memory of 928	1824	taskeng.exe	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
PID 928 wrote to memory of 1044	928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe	svchost.exe
PID 928 wrote to memory of 1044	928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe	svchost.exe
PID 928 wrote to memory of 1044	928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe	svchost.exe
PID 928 wrote to memory of 1044	928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe	svchost.exe
PID 928 wrote to memory of 1044	928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe	svchost.exe
PID 928 wrote to memory of 1044	928	13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
"C:\Users\Admin\AppData\Local\Temp\13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1204

C:\Windows\system32\taskeng.exe
taskeng.exe {DE9953FB-B91C-4DB6-BA4B-28CEC24816E0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\HttpService\13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
C:\Users\Admin\AppData\Roaming\HttpService\13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HttpService\13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
MD5
5d4a7c63fde057653ddd0cafd1d42f4f

SHA1
a00e355e1b1328e7198530a533a3db12a55cf384

SHA256
13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6

SHA512
42e8e4ad1cca92576a5d51b9d3bed0321298454e4da70922cac91ee45ce778777bfb248cd84c273b083357f7f4555cd1f0dbbaffe76bb424f9f143d1cf453a80

Download Submit
C:\Users\Admin\AppData\Roaming\HttpService\13d0a83f88baf7df82809d7ddc119f9097f7dd374b0d73af472f1282897328e8.exe
MD5
5d4a7c63fde057653ddd0cafd1d42f4f

SHA1
a00e355e1b1328e7198530a533a3db12a55cf384

SHA256
13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6

SHA512
42e8e4ad1cca92576a5d51b9d3bed0321298454e4da70922cac91ee45ce778777bfb248cd84c273b083357f7f4555cd1f0dbbaffe76bb424f9f143d1cf453a80

Download Submit
memory/928-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1044-65-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1204-58-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1624-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1624-55-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/1624-57-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads