trickbot | b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d

General

Target

b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe
Size

256KB
MD5

b67312b06040d026a13b7a08faff1cb3
SHA1

fcf6efd4e9ee2454c791a8258666d4b23937ff50
SHA256

b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d
SHA512

8f084c42f97d5ad6061be522e1c3f19ad69a096437e9dd2909713f763cfbe8ddc6f150e577df024eb13775360024d5ed833c84ac57e96e917785a978dc37cf43

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 8 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4932-132-0x0000000003260000-0x000000000328B000-memory.dmp	trickbot_loader32
behavioral2/memory/4932-134-0x0000000003260000-0x000000000328B000-memory.dmp	trickbot_loader32
behavioral2/memory/4368-142-0x0000000004730000-0x000000000475B000-memory.dmp	trickbot_loader32
behavioral2/memory/4932-153-0x0000000003260000-0x000000000328B000-memory.dmp	trickbot_loader32
behavioral2/memory/4368-154-0x0000000004730000-0x000000000475B000-memory.dmp	trickbot_loader32
behavioral2/memory/3204-160-0x0000000000E20000-0x0000000000E4B000-memory.dmp	trickbot_loader32
behavioral2/memory/3204-161-0x0000000000E20000-0x0000000000E4B000-memory.dmp	trickbot_loader32
behavioral2/memory/3204-172-0x0000000000E20000-0x0000000000E4B000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exeb19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

pid	process
4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

description pid process

Token: SeTcbPrivilege 3204 b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

description	pid	process
Token: SeTcbPrivilege	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exeb19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exeb19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

pid	process
4932	b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe
4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exeb19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exeb19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe

description	pid	process	target process
PID 4932 wrote to memory of 4368	4932	b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
PID 4932 wrote to memory of 4368	4932	b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
PID 4932 wrote to memory of 4368	4932	b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 4368 wrote to memory of 3836	4368	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe
PID 3204 wrote to memory of 1296	3204	b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe
"C:\Users\Admin\AppData\Local\Temp\b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3836

C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
Filesize
256KB

MD5
b67312b06040d026a13b7a08faff1cb3

SHA1
fcf6efd4e9ee2454c791a8258666d4b23937ff50

SHA256
b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d

SHA512
8f084c42f97d5ad6061be522e1c3f19ad69a096437e9dd2909713f763cfbe8ddc6f150e577df024eb13775360024d5ed833c84ac57e96e917785a978dc37cf43

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
Filesize
256KB

MD5
b67312b06040d026a13b7a08faff1cb3

SHA1
fcf6efd4e9ee2454c791a8258666d4b23937ff50

SHA256
b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d

SHA512
8f084c42f97d5ad6061be522e1c3f19ad69a096437e9dd2909713f763cfbe8ddc6f150e577df024eb13775360024d5ed833c84ac57e96e917785a978dc37cf43

Download Submit
C:\Users\Admin\AppData\Roaming\SysDefrag\b19eb88b3f796f601298239a73db91ed97fef181cd9cb8367188dc3cd2caa79d.exe
Filesize
256KB

MD5
b67312b06040d026a13b7a08faff1cb3

SHA1
fcf6efd4e9ee2454c791a8258666d4b23937ff50

SHA256
b19eb77b3f695f501297238a63db91ed96fef171cd8cb7356177dc3cd2caa69d

SHA512
8f084c42f97d5ad6061be522e1c3f19ad69a096437e9dd2909713f763cfbe8ddc6f150e577df024eb13775360024d5ed833c84ac57e96e917785a978dc37cf43

Download Submit
memory/1296-166-0x0000000000000000-mapping.dmp

Download
memory/3204-172-0x0000000000E20000-0x0000000000E4B000-memory.dmp

Filesize
172KB

Download
memory/3204-161-0x0000000000E20000-0x0000000000E4B000-memory.dmp

Filesize
172KB

Download
memory/3204-160-0x0000000000E20000-0x0000000000E4B000-memory.dmp

Filesize
172KB

Download
memory/3836-147-0x0000000000000000-mapping.dmp

Download
memory/3836-149-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4368-154-0x0000000004730000-0x000000000475B000-memory.dmp

Filesize
172KB

Download
memory/4368-144-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4368-142-0x0000000004730000-0x000000000475B000-memory.dmp

Filesize
172KB

Download
memory/4368-135-0x0000000000000000-mapping.dmp

Download
memory/4932-132-0x0000000003260000-0x000000000328B000-memory.dmp

Filesize
172KB

Download
memory/4932-153-0x0000000003260000-0x000000000328B000-memory.dmp

Filesize
172KB

Download
memory/4932-134-0x0000000003260000-0x000000000328B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads