trickbot | 1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

Analysis

max time kernel
170s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
Size

304KB
MD5

5919aabbf2a93c1f1c2f492a8dac755e
SHA1

02bdabad186f703bb73ad3f79d018996fdea9d71
SHA256

1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225
SHA512

427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Score

10^/10

trickbot ser0529 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000201

Botnet

ser0529

109.86.227.152:443

185.129.78.167:443

190.4.189.129:443

103.228.142.14:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

208.75.117.70:449

92.55.251.211:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

185.42.192.194:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

82.146.59.174:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4112-133-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/4112-132-0x0000000000000000-mapping.dmp	trickbot_loader32
behavioral2/memory/4112-139-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/4780-140-0x0000000000000000-mapping.dmp	trickbot_loader32
behavioral2/memory/4780-148-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/4780-156-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe = "C:\\Users\\Admin\\AppData\\Roaming\\freenet\\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	icanhazip.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3236 set thread context of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 4136 set thread context of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 3236 wrote to memory of 4112	3236	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	77
PID 4112 wrote to memory of 4136	4112	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	78
PID 4112 wrote to memory of 4136	4112	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	78
PID 4112 wrote to memory of 4136	4112	1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe	78
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4136 wrote to memory of 4780	4136	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	79
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80
PID 4780 wrote to memory of 2508	4780	1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe	80

C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
"C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe
  "C:\Users\Admin\AppData\Local\Temp\1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
    C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
      C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Adds Run key to start application
        
        PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
C:\Users\Admin\AppData\Roaming\freenet\1c199f1109d3932946c38cd83824c3ac2f3b062394abb0a4fe76193013bef226.exe

Filesize
304KB

MD5
5919aabbf2a93c1f1c2f492a8dac755e

SHA1
02bdabad186f703bb73ad3f79d018996fdea9d71

SHA256
1c199f1108d3932845c37cd73724c3ac2f3b052384abb0a4fe65183013bef225

SHA512
427b36c48e504b9852b8b06407e8fab4dcd83c29589749c09c66aae582d91b67ed857723ddf7263e74a7b00d97860322ffc5b25acb85f2d44f3bdfd38c86076a

Download Submit
memory/2508-150-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4112-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4112-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-144-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4780-148-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4780-156-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download