trickbot | df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

General

Target

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
Size

516KB
MD5

e18c9d414140f2cde7ae1151489f65b6
SHA1

79ed070d71ab2bf5ef7a669a328624e4e5c898b5
SHA256

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3
SHA512

78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Score

10^/10

trickbot lib346 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000293

Botnet

lib346

C2

51.68.170.58:443

68.3.14.71:443

174.105.235.178:449

195.54.162.247:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

5.189.224.254:443

71.94.101.25:443

206.130.141.255:449

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

75.102.135.23:449

24.119.69.70:449

85.143.223.51:443

103.110.91.118:449

68.4.173.10:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1360-56-0x00000000003B0000-0x00000000003F0000-memory.dmp	trickbot_loader32
behavioral1/memory/1360-71-0x00000000003B0000-0x00000000003F0000-memory.dmp	trickbot_loader32
behavioral1/memory/1764-88-0x0000000000490000-0x00000000004D0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

pid process

1764 df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

Loads dropped DLL 2 IoCs

Processes:

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe

pid	process
1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1608 sc.exe
1768 sc.exe

pid	process
1608	sc.exe
1768	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exepowershell.exe

pid	process
1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
992	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 992 powershell.exe

description	pid	process
Token: SeDebugPrivilege	992	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exedf9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

pid	process
1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.execmd.execmd.execmd.exedf9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

description	pid	process	target process
PID 1360 wrote to memory of 908	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 908	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 908	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 908	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 1604	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 1604	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 1604	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 1604	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 536	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 536	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 536	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 536	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	cmd.exe
PID 1360 wrote to memory of 1764	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 1360 wrote to memory of 1764	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 1360 wrote to memory of 1764	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 1360 wrote to memory of 1764	1360	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 908 wrote to memory of 1768	908	cmd.exe	sc.exe
PID 908 wrote to memory of 1768	908	cmd.exe	sc.exe
PID 908 wrote to memory of 1768	908	cmd.exe	sc.exe
PID 908 wrote to memory of 1768	908	cmd.exe	sc.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	sc.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	sc.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	sc.exe
PID 1604 wrote to memory of 1608	1604	cmd.exe	sc.exe
PID 536 wrote to memory of 992	536	cmd.exe	powershell.exe
PID 536 wrote to memory of 992	536	cmd.exe	powershell.exe
PID 536 wrote to memory of 992	536	cmd.exe	powershell.exe
PID 536 wrote to memory of 992	536	cmd.exe	powershell.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1764 wrote to memory of 1348	1764	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
"C:\Users\Admin\AppData\Local\Temp\df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1768

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:1608

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1348

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
Filesize
516KB

MD5
e18c9d414140f2cde7ae1151489f65b6

SHA1
79ed070d71ab2bf5ef7a669a328624e4e5c898b5

SHA256
df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

SHA512
78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Download Submit
\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
Filesize
516KB

MD5
e18c9d414140f2cde7ae1151489f65b6

SHA1
79ed070d71ab2bf5ef7a669a328624e4e5c898b5

SHA256
df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

SHA512
78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Download Submit
\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
Filesize
516KB

MD5
e18c9d414140f2cde7ae1151489f65b6

SHA1
79ed070d71ab2bf5ef7a669a328624e4e5c898b5

SHA256
df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

SHA512
78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Download Submit
memory/536-61-0x0000000000000000-mapping.dmp

Download
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/992-90-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/992-89-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/992-70-0x0000000000000000-mapping.dmp

Download
memory/1348-80-0x0000000000000000-mapping.dmp

Download
memory/1348-82-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/1360-58-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1360-56-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1360-71-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1604-60-0x0000000000000000-mapping.dmp

Download
memory/1608-67-0x0000000000000000-mapping.dmp

Download
memory/1764-77-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1764-88-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1768-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads