trickbot | aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71

General

Target

aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe
Size

424KB
MD5

a28604cbd7a845fe3bae400f76ae4046
SHA1

2bb828db31142a0d03b1f646375b688e130f6ee0
SHA256

aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71
SHA512

804e9d6076cc6cb886cb529897ec7c38314d658463ccc6567c0af7fbed61d2df770baf18886432b0e95c89fe0408b8816023a89a874630098190170f3de0f655

Score

10^/10

trickbot wmd38 banker dave trojan

Malware Config

Extracted

Family

trickbot

Version

1000498

Botnet

wmd38

C2

5.182.210.226:443

82.146.62.52:443

164.68.120.56:443

185.11.146.86:443

5.2.78.70:443

185.65.202.240:443

193.26.217.243:443

81.177.180.254:443

5.34.177.40:443

185.186.77.222:443

188.227.84.209:443

185.45.193.76:443

46.229.213.27:443

88.99.112.87:443

51.254.164.240:443

45.148.120.13:443

5.2.78.77:443

64.44.51.125:443

107.172.165.149:443

45.148.120.14:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Dave packer 3 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/4220-130-0x00000000022C0000-0x00000000022F5000-memory.dmp	dave
behavioral2/memory/4220-134-0x0000000002280000-0x00000000022B2000-memory.dmp	dave
behavioral2/memory/3032-138-0x0000000002190000-0x00000000021C5000-memory.dmp	dave

Executes dropped EXE 1 IoCs

Processes:

قا嗶δηнг.exe

pid process

3032 قا嗶δηнг.exe

pid	process
3032	قا嗶δηнг.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exeقا嗶δηнг.exe

pid	process
4220	aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe
4220	aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe
3032	قا嗶δηнг.exe
3032	قا嗶δηнг.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exeقا嗶δηнг.exe

description	pid	process	target process
PID 4220 wrote to memory of 3032	4220	aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe	قا嗶δηнг.exe
PID 4220 wrote to memory of 3032	4220	aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe	قا嗶δηнг.exe
PID 4220 wrote to memory of 3032	4220	aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe	قا嗶δηнг.exe
PID 3032 wrote to memory of 2036	3032	قا嗶δηнг.exe	svchost.exe
PID 3032 wrote to memory of 2036	3032	قا嗶δηнг.exe	svchost.exe
PID 3032 wrote to memory of 2036	3032	قا嗶δηнг.exe	svchost.exe
PID 3032 wrote to memory of 2036	3032	قا嗶δηнг.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe
"C:\Users\Admin\AppData\Local\Temp\aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220

C:\ProgramData\قا嗶δηнг.exe
"C:\ProgramData\قا嗶δηнг.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\قا嗶δηнг.exe
Filesize
424KB

MD5
a28604cbd7a845fe3bae400f76ae4046

SHA1
2bb828db31142a0d03b1f646375b688e130f6ee0

SHA256
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71

SHA512
804e9d6076cc6cb886cb529897ec7c38314d658463ccc6567c0af7fbed61d2df770baf18886432b0e95c89fe0408b8816023a89a874630098190170f3de0f655

Download Submit
C:\ProgramData\قا嗶δηнг.exe
Filesize
424KB

MD5
a28604cbd7a845fe3bae400f76ae4046

SHA1
2bb828db31142a0d03b1f646375b688e130f6ee0

SHA256
aa8d1ceba7e76e1af37d400b6906091e81d9bf4969cd010a3a739a35b0e03c71

SHA512
804e9d6076cc6cb886cb529897ec7c38314d658463ccc6567c0af7fbed61d2df770baf18886432b0e95c89fe0408b8816023a89a874630098190170f3de0f655

Download Submit
memory/2036-145-0x0000000000000000-mapping.dmp

Download
memory/2036-147-0x000001AF44E60000-0x000001AF44E82000-memory.dmp

Filesize
136KB

Download
memory/3032-135-0x0000000000000000-mapping.dmp

Download
memory/3032-138-0x0000000002190000-0x00000000021C5000-memory.dmp

Filesize
212KB

Download
memory/3032-142-0x0000000002250000-0x0000000002281000-memory.dmp

Filesize
196KB

Download
memory/3032-143-0x00000000021D0000-0x0000000002201000-memory.dmp

Filesize
196KB

Download
memory/3032-144-0x0000000002251000-0x0000000002281000-memory.dmp

Filesize
192KB

Download
memory/3032-146-0x0000000010001000-0x0000000010006000-memory.dmp

Filesize
20KB

Download
memory/3032-148-0x0000000002251000-0x0000000002281000-memory.dmp

Filesize
192KB

Download
memory/4220-134-0x0000000002280000-0x00000000022B2000-memory.dmp

Filesize
200KB

Download
memory/4220-130-0x00000000022C0000-0x00000000022F5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads