trickbot | df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

General

Target

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
Size

516KB
MD5

e18c9d414140f2cde7ae1151489f65b6
SHA1

79ed070d71ab2bf5ef7a669a328624e4e5c898b5
SHA256

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3
SHA512

78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Score

10^/10

trickbot lib346 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000293

Botnet

lib346

C2

51.68.170.58:443

68.3.14.71:443

174.105.235.178:449

195.54.162.247:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

5.189.224.254:443

71.94.101.25:443

206.130.141.255:449

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

75.102.135.23:449

24.119.69.70:449

85.143.223.51:443

103.110.91.118:449

68.4.173.10:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/5040-132-0x0000000002FF0000-0x0000000003030000-memory.dmp	trickbot_loader32
behavioral2/memory/5040-134-0x0000000002FF0000-0x0000000003030000-memory.dmp	trickbot_loader32
behavioral2/memory/1232-142-0x0000000002120000-0x0000000002160000-memory.dmp	trickbot_loader32
behavioral2/memory/5040-153-0x0000000002FF0000-0x0000000003030000-memory.dmp	trickbot_loader32
behavioral2/memory/1232-156-0x0000000002120000-0x0000000002160000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

pid process

1232 df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

pid	process
1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WSIGE\\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 icanhazip.com
34 myexternalip.com
43 myexternalip.com

flow	ioc
13	icanhazip.com
34	myexternalip.com
43	myexternalip.com

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exedf9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

pid	process
5040	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exedf9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe

description	pid	process	target process
PID 5040 wrote to memory of 1232	5040	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 5040 wrote to memory of 1232	5040	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 5040 wrote to memory of 1232	5040	df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe
PID 1232 wrote to memory of 4788	1232	df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe
"C:\Users\Admin\AppData\Local\Temp\df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
Filesize
516KB

MD5
e18c9d414140f2cde7ae1151489f65b6

SHA1
79ed070d71ab2bf5ef7a669a328624e4e5c898b5

SHA256
df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

SHA512
78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Download Submit
C:\Users\Admin\AppData\Roaming\WSIGE\df9de76b3cce6e70de0674776a4c28293b80227e3341c466c10f0df8812413b3.exe
Filesize
516KB

MD5
e18c9d414140f2cde7ae1151489f65b6

SHA1
79ed070d71ab2bf5ef7a669a328624e4e5c898b5

SHA256
df8de65b3cce5e60de0564665a4c27283b70226e3341c455c10f0df7712413b3

SHA512
78fd08a6b2e3b9d9adb74a947225d3d49bc91bdc713a20dadf19f658eb985a39b8699d68844e46f5d72907edca95dbc05cf347ed7cf86f32720a280475c7a4e2

Download Submit
memory/1232-135-0x0000000000000000-mapping.dmp

Download
memory/1232-142-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/1232-144-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1232-156-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/4788-147-0x0000000000000000-mapping.dmp

Download
memory/4788-149-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/5040-132-0x0000000002FF0000-0x0000000003030000-memory.dmp

Filesize
256KB

Download
memory/5040-134-0x0000000002FF0000-0x0000000003030000-memory.dmp

Filesize
256KB

Download
memory/5040-153-0x0000000002FF0000-0x0000000003030000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads