trickbot | f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f

General

Target

f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
Size

191KB
MD5

122172f902a8e651e7c5709e6ec970fe
SHA1

fd258e0c8d666188627cc08fe56929ebba036893
SHA256

f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f
SHA512

8e22c221ca910b210c7094245cbbe552cb359bf8d637b762c56c3d254c02c78ace3cb3af8e6dd4690a77de76d91d65da019f1ac76dd0248951a25561860122e9

Score

10^/10

trickbot tot677 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000499

Botnet

tot677

C2

5.182.210.226:443

82.146.62.52:443

193.26.217.243:443

5.2.78.77:443

107.172.165.149:443

185.14.29.84:443

178.156.202.130:443

185.62.188.10:443

5.255.96.115:443

212.80.216.209:443

195.133.145.31:443

5.34.177.97:443

85.143.216.206:443

185.99.2.193:443

5.182.210.4:443

178.156.202.120:443

146.185.253.197:443

194.99.21.139:443

185.200.241.248:443

185.183.96.43:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4844-133-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32
behavioral2/memory/528-135-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe

pid process

528 f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1604 svchost.exe
Token: SeDebugPrivilege 1604 svchost.exe

pid	process
528	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe

description	pid	process
Token: SeDebugPrivilege	1604	svchost.exe
Token: SeDebugPrivilege	1604	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exef5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe

description	pid	process	target process
PID 4844 wrote to memory of 528	4844	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
PID 4844 wrote to memory of 528	4844	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
PID 4844 wrote to memory of 528	4844	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
PID 528 wrote to memory of 1604	528	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	svchost.exe
PID 528 wrote to memory of 1604	528	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	svchost.exe
PID 528 wrote to memory of 1604	528	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	svchost.exe
PID 528 wrote to memory of 1604	528	f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
"C:\Users\Admin\AppData\Local\Temp\f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Roaming\NetCoreLibrary\f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
C:\Users\Admin\AppData\Roaming\NetCoreLibrary\f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NetCoreLibrary\f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
Filesize
191KB

MD5
122172f902a8e651e7c5709e6ec970fe

SHA1
fd258e0c8d666188627cc08fe56929ebba036893

SHA256
f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f

SHA512
8e22c221ca910b210c7094245cbbe552cb359bf8d637b762c56c3d254c02c78ace3cb3af8e6dd4690a77de76d91d65da019f1ac76dd0248951a25561860122e9

Download Submit
C:\Users\Admin\AppData\Roaming\NetCoreLibrary\f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f.exe
Filesize
191KB

MD5
122172f902a8e651e7c5709e6ec970fe

SHA1
fd258e0c8d666188627cc08fe56929ebba036893

SHA256
f5d555d1d7672be2d1c7f51728863fa2bc4d669ac09da707faf456c358bcc36f

SHA512
8e22c221ca910b210c7094245cbbe552cb359bf8d637b762c56c3d254c02c78ace3cb3af8e6dd4690a77de76d91d65da019f1ac76dd0248951a25561860122e9

Download Submit
memory/528-130-0x0000000000000000-mapping.dmp

Download
memory/528-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1604-134-0x0000000000000000-mapping.dmp

Download
memory/1604-136-0x00000223B3C90000-0x00000223B3CB2000-memory.dmp

Filesize
136KB

Download
memory/4844-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing