trickbot | 333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

General

Target

333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe
Size

355KB
MD5

071b4497f6f663133e9d2c5b9fc15c6d
SHA1

3334452e9da9f49d07058395bede8b06bc69ba0e
SHA256

333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860
SHA512

6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

Score

10^/10

trickbot sat4 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000310

Botnet

sat4

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

213.183.63.16:443

74.132.133.246:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1488-64-0x0000000000380000-0x00000000003C0000-memory.dmp	trickbot_loader32
behavioral1/memory/1948-83-0x0000000000390000-0x00000000003D0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe

pid process

1948 333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe

Loads dropped DLL 2 IoCs

Processes:

333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe

pid	process
1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe
1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1740 sc.exe
1988 sc.exe

pid	process
1740	sc.exe
1988	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exepowershell.exe

pid	process
1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe
1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe
1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe
1764	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1764 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.execmd.execmd.execmd.exe333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe

description	pid	process	target process
PID 1488 wrote to memory of 2008	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2008	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2008	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2008	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2024	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2024	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2024	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 2024	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 1744	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 1744	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 1744	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 1744	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	cmd.exe
PID 1488 wrote to memory of 1948	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
PID 1488 wrote to memory of 1948	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
PID 1488 wrote to memory of 1948	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
PID 1488 wrote to memory of 1948	1488	333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
PID 2008 wrote to memory of 1988	2008	cmd.exe	sc.exe
PID 2008 wrote to memory of 1988	2008	cmd.exe	sc.exe
PID 2008 wrote to memory of 1988	2008	cmd.exe	sc.exe
PID 2008 wrote to memory of 1988	2008	cmd.exe	sc.exe
PID 2024 wrote to memory of 1740	2024	cmd.exe	sc.exe
PID 2024 wrote to memory of 1740	2024	cmd.exe	sc.exe
PID 2024 wrote to memory of 1740	2024	cmd.exe	sc.exe
PID 2024 wrote to memory of 1740	2024	cmd.exe	sc.exe
PID 1744 wrote to memory of 1764	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1764	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1764	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1764	1744	cmd.exe	powershell.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe
PID 1948 wrote to memory of 828	1948	333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe
"C:\Users\Admin\AppData\Local\Temp\333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1988

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:1740

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Users\Admin\AppData\Roaming\NetSf\333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
C:\Users\Admin\AppData\Roaming\NetSf\333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1819626980-2277161760-1023733287-1000\0f5007522459c86e95ffcc62f32308f1_e0ffcd78-9b22-40d1-a23f-5e55cdd3b217
Filesize
1KB

MD5
92d0497b8f3c5872cd5c650c17d9c4a1

SHA1
885809c9b0697eb395f3526a3f0e421bf2325eec

SHA256
463b51823da9a964efbd81d47757f45ee81d8d6794b01c386f4c6aa54feb8b27

SHA512
ab7ce087d7ee7c35ad5b864a834c0c2ff2012959816aa7067a651fc34aa9eb297db43fa073b2d0a974244fd9e8127140a0bb0f8950735ba96e9ab6de96166ea2

Download Submit
C:\Users\Admin\AppData\Roaming\NetSf\333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
Filesize
355KB

MD5
071b4497f6f663133e9d2c5b9fc15c6d

SHA1
3334452e9da9f49d07058395bede8b06bc69ba0e

SHA256
333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

SHA512
6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

Download Submit
\Users\Admin\AppData\Roaming\NetSf\333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
Filesize
355KB

MD5
071b4497f6f663133e9d2c5b9fc15c6d

SHA1
3334452e9da9f49d07058395bede8b06bc69ba0e

SHA256
333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

SHA512
6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

Download Submit
\Users\Admin\AppData\Roaming\NetSf\333f986099aa99ab71a7982cd31ec6f9314c7cb1a49ece979a961ad94f494970.exe
Filesize
355KB

MD5
071b4497f6f663133e9d2c5b9fc15c6d

SHA1
3334452e9da9f49d07058395bede8b06bc69ba0e

SHA256
333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

SHA512
6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

Download Submit
memory/828-77-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/828-75-0x0000000000000000-mapping.dmp

Download
memory/1488-64-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/1488-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1740-62-0x0000000000000000-mapping.dmp

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download
memory/1764-67-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-65-0x0000000000000000-mapping.dmp

Download
memory/1764-68-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-60-0x0000000000000000-mapping.dmp

Download
memory/1948-72-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1948-83-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads