trickbot | 1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

General

Target

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
Size

304KB
MD5

5919aabbf2a93c1f1c2f492a8dac755e
SHA1

02bdabad186f703bb73ad3f79d018996fdea9d71
SHA256

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225
SHA512

427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Score

10^/10

trickbot ser0529 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000201

Botnet

ser0529

C2

109.86.227.152:443

185.129.78.167:443

190.4.189.129:443

103.228.142.14:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

208.75.117.70:449

92.55.251.211:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

185.42.192.194:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

82.146.59.174:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1772-57-0x0000000000401000-mapping.dmp	trickbot_loader32
behavioral1/memory/1772-56-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/1772-65-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/1456-68-0x0000000000401000-mapping.dmp	trickbot_loader32
behavioral1/memory/1456-83-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

pid	process
908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Loads dropped DLL 2 IoCs

Processes:

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe

pid	process
1772	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
1772	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

description	pid	process	target process
PID 2024 set thread context of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 908 set thread context of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

pid	process
2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

description	pid	process	target process
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 2024 wrote to memory of 1772	2024	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
PID 1772 wrote to memory of 908	1772	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 1772 wrote to memory of 908	1772	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 1772 wrote to memory of 908	1772	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 1772 wrote to memory of 908	1772	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 908 wrote to memory of 1456	908	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe
PID 1456 wrote to memory of 1460	1456	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
"C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
  "C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
    C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
      C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
memory/908-61-0x0000000000000000-mapping.dmp

Download
memory/1456-72-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1456-68-0x0000000000401000-mapping.dmp

Download
memory/1456-83-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1460-75-0x0000000000000000-mapping.dmp

Download
memory/1460-77-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/1772-57-0x0000000000401000-mapping.dmp

Download
memory/1772-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1772-58-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1772-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads