trickbot | 0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300

General

Target

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe
Size

546KB
MD5

9ed548302bc24b6c5a09e397af9d9b77
SHA1

01220ee53b97aabf87d73c276c28bc2ecd4ccb1c
SHA256

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300
SHA512

94b9a42ea4f4c88a1d1ebfa56a73c560122c09dc6b81a3ea3c1d01f44efeb727843bbebf75f64f79045e7ecbc7a38f4855308fcf7261da4b0e15c45315487ee8

Score

10^/10

trickbot lib374 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000317

Botnet

lib374

C2

107.175.127.149:443

24.247.182.240:449

108.174.120.172:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

97.87.175.152:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.36.143:443

24.247.182.174:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2016-55-0x00000000005A0000-0x00000000005E0000-memory.dmp	trickbot_loader32
behavioral1/memory/2016-67-0x00000000005A0000-0x00000000005E0000-memory.dmp	trickbot_loader32
behavioral1/memory/948-98-0x0000000000490000-0x00000000004D0000-memory.dmp	trickbot_loader32
behavioral1/memory/948-111-0x0000000000490000-0x00000000004D0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe

pid process

948 0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe

Loads dropped DLL 2 IoCs

Processes:

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe

pid	process
2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe
2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exepowershell.exe

pid	process
2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe
2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe
2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe
628	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 628 powershell.exe

description	pid	process
Token: SeDebugPrivilege	628	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.execmd.execmd.execmd.exe0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe

description	pid	process	target process
PID 2016 wrote to memory of 1688	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 1688	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 1688	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 1688	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 828	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 828	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 828	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 828	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 620	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 620	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 620	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 620	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	cmd.exe
PID 2016 wrote to memory of 948	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
PID 2016 wrote to memory of 948	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
PID 2016 wrote to memory of 948	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
PID 2016 wrote to memory of 948	2016	0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
PID 828 wrote to memory of 932	828	cmd.exe	sc.exe
PID 1688 wrote to memory of 1984	1688	cmd.exe	sc.exe
PID 828 wrote to memory of 932	828	cmd.exe	sc.exe
PID 1688 wrote to memory of 1984	1688	cmd.exe	sc.exe
PID 828 wrote to memory of 932	828	cmd.exe	sc.exe
PID 1688 wrote to memory of 1984	1688	cmd.exe	sc.exe
PID 828 wrote to memory of 932	828	cmd.exe	sc.exe
PID 1688 wrote to memory of 1984	1688	cmd.exe	sc.exe
PID 620 wrote to memory of 628	620	cmd.exe	powershell.exe
PID 620 wrote to memory of 628	620	cmd.exe	powershell.exe
PID 620 wrote to memory of 628	620	cmd.exe	powershell.exe
PID 620 wrote to memory of 628	620	cmd.exe	powershell.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe
PID 948 wrote to memory of 368	948	0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe
"C:\Users\Admin\AppData\Local\Temp\0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Users\Admin\AppData\Roaming\WinDefrag\0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
C:\Users\Admin\AppData\Roaming\WinDefrag\0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-790309383-526510583-3802439154-1000\0f5007522459c86e95ffcc62f32308f1_5a8ed3ac-cae1-4e8b-9fd6-2d374700adef
Filesize
1KB

MD5
7b2831abb1199e8616cbd2f8f5b6306f

SHA1
ba5b86de6709fd5ae899491a2ab2009bf9ba822d

SHA256
cb4be9b152d30f2c324cb94230187b170cb0bb990dbe0201ce5c1eb96e5258db

SHA512
35f36bf73763b3693881f0158f070daf557cadcad6ddddb138642b609b08445fcf1bf370d63648defd2fcec91c100ceb5760199f0e862f9c7b5d74b800b6439a

Download Submit
C:\Users\Admin\AppData\Roaming\WinDefrag\0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
Filesize
546KB

MD5
9ed548302bc24b6c5a09e397af9d9b77

SHA1
01220ee53b97aabf87d73c276c28bc2ecd4ccb1c

SHA256
0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300

SHA512
94b9a42ea4f4c88a1d1ebfa56a73c560122c09dc6b81a3ea3c1d01f44efeb727843bbebf75f64f79045e7ecbc7a38f4855308fcf7261da4b0e15c45315487ee8

Download Submit
\Users\Admin\AppData\Roaming\WinDefrag\0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
Filesize
546KB

MD5
9ed548302bc24b6c5a09e397af9d9b77

SHA1
01220ee53b97aabf87d73c276c28bc2ecd4ccb1c

SHA256
0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300

SHA512
94b9a42ea4f4c88a1d1ebfa56a73c560122c09dc6b81a3ea3c1d01f44efeb727843bbebf75f64f79045e7ecbc7a38f4855308fcf7261da4b0e15c45315487ee8

Download Submit
\Users\Admin\AppData\Roaming\WinDefrag\0b3dd23c26218143b998c76d091034fdd9040cdb62f790140da989f721bcd300.exe
Filesize
546KB

MD5
9ed548302bc24b6c5a09e397af9d9b77

SHA1
01220ee53b97aabf87d73c276c28bc2ecd4ccb1c

SHA256
0b3dd23c25217143b997c65d091034fdd9040cdb52f690140da979f621bcd300

SHA512
94b9a42ea4f4c88a1d1ebfa56a73c560122c09dc6b81a3ea3c1d01f44efeb727843bbebf75f64f79045e7ecbc7a38f4855308fcf7261da4b0e15c45315487ee8

Download Submit
memory/368-105-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/368-103-0x0000000000000000-mapping.dmp

Download
memory/620-58-0x0000000000000000-mapping.dmp

Download
memory/628-77-0x0000000074530000-0x0000000074765000-memory.dmp

Filesize
2.2MB

Download
memory/628-81-0x0000000071450000-0x0000000071986000-memory.dmp

Filesize
5.2MB

Download
memory/628-95-0x0000000073D50000-0x0000000073DEC000-memory.dmp

Filesize
624KB

Download
memory/628-94-0x0000000071450000-0x0000000071986000-memory.dmp

Filesize
5.2MB

Download
memory/628-65-0x0000000000000000-mapping.dmp

Download
memory/628-93-0x00000000747B0000-0x00000000747D5000-memory.dmp

Filesize
148KB

Download
memory/628-68-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/628-69-0x0000000072F10000-0x0000000073A08000-memory.dmp

Filesize
11.0MB

Download
memory/628-70-0x0000000072770000-0x0000000072F0C000-memory.dmp

Filesize
7.6MB

Download
memory/628-71-0x0000000074830000-0x00000000748B1000-memory.dmp

Filesize
516KB

Download
memory/628-72-0x0000000071C00000-0x000000007247A000-memory.dmp

Filesize
8.5MB

Download
memory/628-73-0x00000000747E0000-0x000000007482B000-memory.dmp

Filesize
300KB

Download
memory/628-74-0x00000000747B0000-0x00000000747D5000-memory.dmp

Filesize
148KB

Download
memory/628-75-0x0000000073DF0000-0x0000000073E75000-memory.dmp

Filesize
532KB

Download
memory/628-76-0x0000000073D50000-0x0000000073DEC000-memory.dmp

Filesize
624KB

Download
memory/628-92-0x0000000071C00000-0x000000007247A000-memory.dmp

Filesize
8.5MB

Download
memory/628-78-0x0000000071A60000-0x0000000071BFE000-memory.dmp

Filesize
1.6MB

Download
memory/628-79-0x0000000071990000-0x0000000071A53000-memory.dmp

Filesize
780KB

Download
memory/628-80-0x0000000074500000-0x000000007452D000-memory.dmp

Filesize
180KB

Download
memory/628-91-0x0000000070BC0000-0x0000000071211000-memory.dmp

Filesize
6.3MB

Download
memory/628-82-0x0000000071340000-0x0000000071444000-memory.dmp

Filesize
1.0MB

Download
memory/628-83-0x0000000071220000-0x0000000071334000-memory.dmp

Filesize
1.1MB

Download
memory/628-84-0x0000000073E80000-0x000000007442B000-memory.dmp

Filesize
5.7MB

Download
memory/628-85-0x0000000072F10000-0x0000000073A08000-memory.dmp

Filesize
11.0MB

Download
memory/628-86-0x0000000072770000-0x0000000072F0C000-memory.dmp

Filesize
7.6MB

Download
memory/628-87-0x0000000074830000-0x00000000748B1000-memory.dmp

Filesize
516KB

Download
memory/628-88-0x00000000747E0000-0x000000007482B000-memory.dmp

Filesize
300KB

Download
memory/628-89-0x0000000071A60000-0x0000000071BFE000-memory.dmp

Filesize
1.6MB

Download
memory/628-90-0x0000000073DF0000-0x0000000073E75000-memory.dmp

Filesize
532KB

Download
memory/828-57-0x0000000000000000-mapping.dmp

Download
memory/932-63-0x0000000000000000-mapping.dmp

Download
memory/948-61-0x0000000000000000-mapping.dmp

Download
memory/948-98-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/948-100-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/948-111-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download
memory/1984-64-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/2016-67-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/2016-55-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads