trickbot | 7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

General

Target

7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
Size

324KB
MD5

b2dc507828839a7be9480788f3070f22
SHA1

006e3c0e7edb3e46706c84bef04e5bc3dbe63c85
SHA256

7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8
SHA512

b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Score

10^/10

trickbot red2 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000491

Botnet

red2

C2

23.94.70.12:443

5.182.210.132:443

5.2.75.137:443

172.82.152.136:443

198.23.252.117:443

194.5.250.62:443

185.14.30.176:443

195.123.245.127:443

195.54.162.179:443

184.164.137.190:443

198.46.161.213:443

64.44.51.106:443

107.172.251.159:443

85.143.220.41:443

107.172.29.108:443

107.172.208.51:443

107.181.187.221:443

190.214.13.2:449

181.140.173.186:449

181.129.104.139:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/952-61-0x0000000000660000-0x000000000068D000-memory.dmp	trickbot_loader32
behavioral1/memory/952-63-0x0000000000270000-0x000000000029D000-memory.dmp	trickbot_loader32
behavioral1/memory/952-64-0x0000000000661000-0x000000000068D000-memory.dmp	trickbot_loader32
behavioral1/memory/928-74-0x00000000004F1000-0x000000000051D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

ñôâÿûâÛÔ.exeñôâÿûâÛÔ.exe

pid process

952 ñôâÿûâÛÔ.exe
928 ñôâÿûâÛÔ.exe

pid	process
952	ñôâÿûâÛÔ.exe
928	ñôâÿûâÛÔ.exe

Loads dropped DLL 2 IoCs

Processes:

7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe

pid	process
1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

Processes:

ñôâÿûâÛÔ.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications	ñôâÿûâÛÔ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\HexEnc	ñôâÿûâÛÔ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\HexEnc\Recent File List	ñôâÿûâÛÔ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\HexEnc\Settings	ñôâÿûâÛÔ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1040 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1040	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exeñôâÿûâÛÔ.exeñôâÿûâÛÔ.exe

pid	process
1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
952	ñôâÿûâÛÔ.exe
952	ñôâÿûâÛÔ.exe
928	ñôâÿûâÛÔ.exe
928	ñôâÿûâÛÔ.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exeñôâÿûâÛÔ.exetaskeng.exeñôâÿûâÛÔ.exe

description	pid	process	target process
PID 1472 wrote to memory of 952	1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe	ñôâÿûâÛÔ.exe
PID 1472 wrote to memory of 952	1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe	ñôâÿûâÛÔ.exe
PID 1472 wrote to memory of 952	1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe	ñôâÿûâÛÔ.exe
PID 1472 wrote to memory of 952	1472	7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe	ñôâÿûâÛÔ.exe
PID 952 wrote to memory of 1828	952	ñôâÿûâÛÔ.exe	svchost.exe
PID 952 wrote to memory of 1828	952	ñôâÿûâÛÔ.exe	svchost.exe
PID 952 wrote to memory of 1828	952	ñôâÿûâÛÔ.exe	svchost.exe
PID 952 wrote to memory of 1828	952	ñôâÿûâÛÔ.exe	svchost.exe
PID 952 wrote to memory of 1828	952	ñôâÿûâÛÔ.exe	svchost.exe
PID 952 wrote to memory of 1828	952	ñôâÿûâÛÔ.exe	svchost.exe
PID 940 wrote to memory of 928	940	taskeng.exe	ñôâÿûâÛÔ.exe
PID 940 wrote to memory of 928	940	taskeng.exe	ñôâÿûâÛÔ.exe
PID 940 wrote to memory of 928	940	taskeng.exe	ñôâÿûâÛÔ.exe
PID 940 wrote to memory of 928	940	taskeng.exe	ñôâÿûâÛÔ.exe
PID 928 wrote to memory of 1040	928	ñôâÿûâÛÔ.exe	svchost.exe
PID 928 wrote to memory of 1040	928	ñôâÿûâÛÔ.exe	svchost.exe
PID 928 wrote to memory of 1040	928	ñôâÿûâÛÔ.exe	svchost.exe
PID 928 wrote to memory of 1040	928	ñôâÿûâÛÔ.exe	svchost.exe
PID 928 wrote to memory of 1040	928	ñôâÿûâÛÔ.exe	svchost.exe
PID 928 wrote to memory of 1040	928	ñôâÿûâÛÔ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe
"C:\Users\Admin\AppData\Local\Temp\7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\ProgramData\ñôâÿûâÛÔ.exe
"C:\ProgramData\ñôâÿûâÛÔ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1828

C:\Windows\system32\taskeng.exe
taskeng.exe {263BB000-3773-4E10-B5E0-C0C0A525059C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ñôâÿûâÛÔ.exe
Filesize
324KB

MD5
b2dc507828839a7be9480788f3070f22

SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Download Submit
C:\ProgramData\ñôâÿûâÛÔ.exe
Filesize
324KB

MD5
b2dc507828839a7be9480788f3070f22

SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Download Submit
C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
Filesize
324KB

MD5
b2dc507828839a7be9480788f3070f22

SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Download Submit
C:\Users\Admin\AppData\Roaming\adirect\ñôâÿûâÛÔ.exe
Filesize
324KB

MD5
b2dc507828839a7be9480788f3070f22

SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Download Submit
\ProgramData\ñôâÿûâÛÔ.exe
Filesize
324KB

MD5
b2dc507828839a7be9480788f3070f22

SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Download Submit
\ProgramData\ñôâÿûâÛÔ.exe
Filesize
324KB

MD5
b2dc507828839a7be9480788f3070f22

SHA1
006e3c0e7edb3e46706c84bef04e5bc3dbe63c85

SHA256
7f6950ade2e54fec60c62d9443ee5527cdadf2b1aca3d86acadee2773dad97c8

SHA512
b14a9ce30bbad42e9ba048cba2e290cc6d50356694b9c1a92bb245469652a43b6e29ece76cfe403dd34b28bf1fe0548722c2df765842d11bd656a220407650fb

Download Submit
memory/928-74-0x00000000004F1000-0x000000000051D000-memory.dmp

Filesize
176KB

Download
memory/928-69-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/952-61-0x0000000000660000-0x000000000068D000-memory.dmp

Filesize
180KB

Download
memory/952-63-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/952-64-0x0000000000661000-0x000000000068D000-memory.dmp

Filesize
176KB

Download
memory/952-65-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1040-73-0x0000000000000000-mapping.dmp

Download
memory/1040-75-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1040-76-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1828-67-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1828-66-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1828-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads