trickbot | 008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc

General

Target

008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe
Size

292KB
MD5

cffe42160ce75c168a74e4c16d6be45f
SHA1

f65cacbd305a8a62294519baf13fcf8b176a452f
SHA256

008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc
SHA512

3c63568cfa9040ec539683a860821e9d42d54ee679077fbca7b2992f6cd2fa3c703c01f7c5aa5e9f0d0147ece4dba291f5bc24f3465bd364c3fc8e35baa3fc19

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4372-132-0x00000000021D0000-0x00000000021FB000-memory.dmp	trickbot_loader32
behavioral2/memory/4372-134-0x00000000021D0000-0x00000000021FB000-memory.dmp	trickbot_loader32
behavioral2/memory/2188-142-0x00000000020D0000-0x00000000020FB000-memory.dmp	trickbot_loader32
behavioral2/memory/636-158-0x0000000000F80000-0x0000000000FAB000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

pid	process
2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

description pid process

Token: SeTcbPrivilege 636 009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

description	pid	process
Token: SeTcbPrivilege	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

pid	process
4372	008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe
2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe

description	pid	process	target process
PID 4372 wrote to memory of 2188	4372	008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
PID 4372 wrote to memory of 2188	4372	008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
PID 4372 wrote to memory of 2188	4372	008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 2188 wrote to memory of 1860	2188	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe
PID 636 wrote to memory of 380	636	009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe
"C:\Users\Admin\AppData\Local\Temp\008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1860

C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
Filesize
292KB

MD5
cffe42160ce75c168a74e4c16d6be45f

SHA1
f65cacbd305a8a62294519baf13fcf8b176a452f

SHA256
008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc

SHA512
3c63568cfa9040ec539683a860821e9d42d54ee679077fbca7b2992f6cd2fa3c703c01f7c5aa5e9f0d0147ece4dba291f5bc24f3465bd364c3fc8e35baa3fc19

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
Filesize
292KB

MD5
cffe42160ce75c168a74e4c16d6be45f

SHA1
f65cacbd305a8a62294519baf13fcf8b176a452f

SHA256
008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc

SHA512
3c63568cfa9040ec539683a860821e9d42d54ee679077fbca7b2992f6cd2fa3c703c01f7c5aa5e9f0d0147ece4dba291f5bc24f3465bd364c3fc8e35baa3fc19

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\009ea6eb3a2b965176eb2fa63fe6f99e0de715a0dcc1bdb5dc28175c78cf07cc.exe
Filesize
292KB

MD5
cffe42160ce75c168a74e4c16d6be45f

SHA1
f65cacbd305a8a62294519baf13fcf8b176a452f

SHA256
008ea5eb3a2b854165eb2fa53fe5f88e0de614a0dcc1bdb4dc27164c67cf06cc

SHA512
3c63568cfa9040ec539683a860821e9d42d54ee679077fbca7b2992f6cd2fa3c703c01f7c5aa5e9f0d0147ece4dba291f5bc24f3465bd364c3fc8e35baa3fc19

Download Submit
memory/380-163-0x0000000000000000-mapping.dmp

Download
memory/636-158-0x0000000000F80000-0x0000000000FAB000-memory.dmp

Filesize
172KB

Download
memory/1860-147-0x0000000000000000-mapping.dmp

Download
memory/1860-149-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2188-135-0x0000000000000000-mapping.dmp

Download
memory/2188-142-0x00000000020D0000-0x00000000020FB000-memory.dmp

Filesize
172KB

Download
memory/2188-144-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4372-132-0x00000000021D0000-0x00000000021FB000-memory.dmp

Filesize
172KB

Download
memory/4372-134-0x00000000021D0000-0x00000000021FB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads