trickbot | c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945

General

Target

c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe
Size

316KB
MD5

a9adbe7646f3a0f01aa5615632590276
SHA1

9aeda7bc09b987bfece30df46c6ccc4f350e1b1d
SHA256

c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945
SHA512

e70f632689e9f152da874f48f350223e55bee83944e6e6edf0157f9ec325cb30782da36899a222085bd79f62ce161d759219c68d1f7c9f9bcd54ce9be105c7d5

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/844-55-0x0000000000310000-0x0000000000319000-memory.dmp	trickbot_loader32
behavioral1/memory/844-56-0x0000000000310000-0x0000000000319000-memory.dmp	trickbot_loader32
behavioral1/memory/844-58-0x0000000000310000-0x0000000000319000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

548 powershell.exe

pid	process
548	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

548 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 548 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe

pid process

844 c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe

pid	process
548	powershell.exe

description	pid	process
Token: SeDebugPrivilege	548	powershell.exe

pid	process
844	c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 1936	844	c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe	cmd.exe
PID 844 wrote to memory of 1936	844	c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe	cmd.exe
PID 844 wrote to memory of 1936	844	c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe	cmd.exe
PID 844 wrote to memory of 1936	844	c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe	cmd.exe
PID 1936 wrote to memory of 548	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 548	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 548	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 548	1936	cmd.exe	powershell.exe

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\c56f3a37857215bd8c93f549a1aea01ca9f48ad1c12ac7dabde678f00d216945.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

memory/548-59-0x0000000000000000-mapping.dmp

Download
memory/548-61-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/548-62-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/844-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/844-55-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/844-56-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/844-58-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/1936-57-0x0000000000000000-mapping.dmp

Download