trickbot | 20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba

General

Target

20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
Size

428KB
MD5

b63af3e2ce713b1a8fa79ee1158ba246
SHA1

3f25337d0bc667eb5965cbb9b70244dc01d4af84
SHA256

20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba
SHA512

f1f6a16f0caa3a0efc6827479014a8590318ed7f8f994602b7ac23aeaed1ce17bb8ba572a8e31a12513877c853bcdd3ac525e1c098e7c255d03045a92d00bd3b

Score

10^/10

trickbot ser0716 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000228

Botnet

ser0716

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

96.31.109.51:443

90.69.224.122:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

138.34.32.74:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1352-132-0x0000000000000000-mapping.dmp	trickbot_loader32
behavioral2/memory/1352-133-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/1352-136-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/4752-140-0x0000000000000000-mapping.dmp	trickbot_loader32
behavioral2/memory/4752-144-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/4752-156-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

pid	process
3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msnet\\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.ipify.org

flow	ioc
27	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

description	pid	process	target process
PID 3216 set thread context of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3492 set thread context of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

pid	process
3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe

description	pid	process	target process
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 3216 wrote to memory of 1352	3216	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
PID 1352 wrote to memory of 3492	1352	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 1352 wrote to memory of 3492	1352	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 1352 wrote to memory of 3492	1352	20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 3492 wrote to memory of 4752	3492	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe
PID 4752 wrote to memory of 1968	4752	20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
"C:\Users\Admin\AppData\Local\Temp\20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
"C:\Users\Admin\AppData\Local\Temp\20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Adds Run key to start application
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
Filesize
428KB

MD5
b63af3e2ce713b1a8fa79ee1158ba246

SHA1
3f25337d0bc667eb5965cbb9b70244dc01d4af84

SHA256
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba

SHA512
f1f6a16f0caa3a0efc6827479014a8590318ed7f8f994602b7ac23aeaed1ce17bb8ba572a8e31a12513877c853bcdd3ac525e1c098e7c255d03045a92d00bd3b

Download Submit
C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
Filesize
428KB

MD5
b63af3e2ce713b1a8fa79ee1158ba246

SHA1
3f25337d0bc667eb5965cbb9b70244dc01d4af84

SHA256
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba

SHA512
f1f6a16f0caa3a0efc6827479014a8590318ed7f8f994602b7ac23aeaed1ce17bb8ba572a8e31a12513877c853bcdd3ac525e1c098e7c255d03045a92d00bd3b

Download Submit
C:\Users\Admin\AppData\Roaming\msnet\20f09d93a3ef92911a8b4607c9671999d628a2804a0cda74e10ddcd09894feba.exe
Filesize
428KB

MD5
b63af3e2ce713b1a8fa79ee1158ba246

SHA1
3f25337d0bc667eb5965cbb9b70244dc01d4af84

SHA256
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba

SHA512
f1f6a16f0caa3a0efc6827479014a8590318ed7f8f994602b7ac23aeaed1ce17bb8ba572a8e31a12513877c853bcdd3ac525e1c098e7c255d03045a92d00bd3b

Download Submit
memory/1352-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1352-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1352-132-0x0000000000000000-mapping.dmp

Download
memory/1968-148-0x0000000000000000-mapping.dmp

Download
memory/1968-150-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/3492-134-0x0000000000000000-mapping.dmp

Download
memory/4752-140-0x0000000000000000-mapping.dmp

Download
memory/4752-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4752-145-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4752-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads