trickbot | 0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7

General

Target

0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
Size

509KB
MD5

571f963de20e09432c8b04ac7bf20199
SHA1

95644ce6a0b14a3673f216740b230a497e5a5387
SHA256

0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7
SHA512

4873312e12dc059d9e827e23474d1bf776a32d48821ef0286660e003469831f3edb7dcdb46d092209958e88cd71261db85ef91af885b738ae78218f97a2a5658

Score

10^/10

trickbot sat19 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000231

Botnet

sat19

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

103.210.30.201:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

31.29.62.112:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4208-130-0x0000000010000000-0x0000000010040000-memory.dmp	trickbot_loader32
behavioral2/memory/4964-137-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/2516-156-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

pid	process
4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msglob\\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 api.ipify.org

flow	ioc
44	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

description	pid	process	target process
PID 4208 set thread context of 4964	4208	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
PID 4928 set thread context of 2516	4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

pid	process
4208	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

description	pid	process	target process
PID 4208 wrote to memory of 4964	4208	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
PID 4208 wrote to memory of 4964	4208	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
PID 4208 wrote to memory of 4964	4208	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
PID 4208 wrote to memory of 4964	4208	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
PID 4964 wrote to memory of 4928	4964	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 4964 wrote to memory of 4928	4964	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 4964 wrote to memory of 4928	4964	0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 4928 wrote to memory of 2516	4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 4928 wrote to memory of 2516	4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 4928 wrote to memory of 2516	4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 4928 wrote to memory of 2516	4928	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe
PID 2516 wrote to memory of 1296	2516	0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
"C:\Users\Admin\AppData\Local\Temp\0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
    C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
      C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Adds Run key to start application
        
        PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\0f5007522459c86e95ffcc62f32308f1_2c37a701-1043-4f89-b4d1-d05ed25c6971

Filesize
1KB

MD5
4e829be496e32b68f97afd561d2315dc

SHA1
5c06a168d4f161f30a0fa22c722b4f60f68fe2de

SHA256
013edfb859166ae58ff8e228f2bdb47b2b8a8f5c9d7ac1be9621ce0005d0a3b8

SHA512
1d107e157b202559e6c16e784179bdc5108ae58bb9449dab39495a18196bbb41164046f14776e7e0b2e958f47eecb520af769afc3b967f05bf39e39fbf9c5fc6

Download Submit
C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

Filesize
509KB

MD5
571f963de20e09432c8b04ac7bf20199

SHA1
95644ce6a0b14a3673f216740b230a497e5a5387

SHA256
0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7

SHA512
4873312e12dc059d9e827e23474d1bf776a32d48821ef0286660e003469831f3edb7dcdb46d092209958e88cd71261db85ef91af885b738ae78218f97a2a5658

Download Submit
C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

Filesize
509KB

MD5
571f963de20e09432c8b04ac7bf20199

SHA1
95644ce6a0b14a3673f216740b230a497e5a5387

SHA256
0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7

SHA512
4873312e12dc059d9e827e23474d1bf776a32d48821ef0286660e003469831f3edb7dcdb46d092209958e88cd71261db85ef91af885b738ae78218f97a2a5658

Download Submit
C:\Users\Admin\AppData\Roaming\msglob\0b8794b9bcb83d9f428c4e223c1496f4fe314060182787f13860b307921269f8.exe

Filesize
509KB

MD5
571f963de20e09432c8b04ac7bf20199

SHA1
95644ce6a0b14a3673f216740b230a497e5a5387

SHA256
0b7684b8bcb73d9f427c4e223c1485f4fe314050172676f13750b306821258f7

SHA512
4873312e12dc059d9e827e23474d1bf776a32d48821ef0286660e003469831f3edb7dcdb46d092209958e88cd71261db85ef91af885b738ae78218f97a2a5658

Download Submit
memory/1296-150-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/1296-148-0x0000000000000000-mapping.dmp

Download
memory/2516-145-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2516-142-0x0000000000000000-mapping.dmp

Download
memory/2516-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4208-130-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/4928-134-0x0000000000000000-mapping.dmp

Download
memory/4964-137-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4964-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads