trickbot | 13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6

General

Target

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Size

500KB
MD5

5d4a7c63fde057653ddd0cafd1d42f4f
SHA1

a00e355e1b1328e7198530a533a3db12a55cf384
SHA256

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6
SHA512

42e8e4ad1cca92576a5d51b9d3bed0321298454e4da70922cac91ee45ce778777bfb248cd84c273b083357f7f4555cd1f0dbbaffe76bb424f9f143d1cf453a80

Score

10^/10

trickbot trgt889 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000479

Botnet

trgt889

C2

192.3.104.46:443

23.94.233.210:443

172.82.152.126:443

192.3.247.11:443

202.29.215.114:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3948-120-0x0000000000AC0000-0x0000000000AEC000-memory.dmp	trickbot_loader32

Modifies registry class 12 IoCs

Processes:

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ = "mfccalc.calculator"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\ = "mfccalc.calculator"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID\ = "{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\ProgID\ = "mfccalc.calculator"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\InprocHandler32\ = "ole32.dll"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\13D0A8~1.EXE"	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mfccalc.calculator\CLSID	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe

pid	process
3948	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
3948	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe

description	pid	process	target process
PID 3948 wrote to memory of 1460	3948	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 3948 wrote to memory of 1460	3948	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 3948 wrote to memory of 1460	3948	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe
PID 3948 wrote to memory of 1460	3948	13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe
"C:\Users\Admin\AppData\Local\Temp\13d0a83f88baf5df82809d5ddc119f7075f5dd354b0d53af452f1282875326e6.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-125-0x00000145CE790000-0x00000145CE7AE000-memory.dmp

Filesize
120KB

Download
memory/3948-120-0x0000000000AC0000-0x0000000000AEC000-memory.dmp

Filesize
176KB

Download
memory/3948-124-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3948-123-0x00000000022B0000-0x0000000002530000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads