trickbot | 5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d

General

Target

5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe
Size

432KB
MD5

77a940af07da194ff27c1d33fd7dce73
SHA1

af15833d70ab5dccb3014616b3e24259b802f2c4
SHA256

5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d
SHA512

f5d92f1c8d23f4bfc32004e8dbd7d88f732a455bdf94e10e6a5a456e7e4762006d3b17550822496b8a3f6f06c4de68152b4f650c1546159b55a90a59649f8dd0

Score

10^/10

trickbot tot632 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000491

Botnet

tot632

C2

23.94.70.12:443

5.182.210.132:443

5.2.75.137:443

172.82.152.136:443

198.23.252.117:443

194.5.250.62:443

185.14.30.176:443

195.123.245.127:443

195.54.162.179:443

184.164.137.190:443

198.46.161.213:443

64.44.51.106:443

107.172.251.159:443

85.143.220.41:443

107.172.29.108:443

107.172.208.51:443

107.181.187.221:443

190.214.13.2:449

181.140.173.186:449

181.129.104.139:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1728-56-0x00000000002E0000-0x000000000030E000-memory.dmp	trickbot_loader32
behavioral1/memory/1728-65-0x00000000002E0000-0x000000000030E000-memory.dmp	trickbot_loader32
behavioral1/memory/1660-70-0x0000000000260000-0x000000000028E000-memory.dmp	trickbot_loader32
behavioral1/memory/1892-83-0x0000000000280000-0x00000000002AE000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

pid	process
1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

Loads dropped DLL 2 IoCs

Processes:

5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe

pid	process
1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe
1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

description pid process

Token: SeTcbPrivilege 1892 7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

description	pid	process
Token: SeTcbPrivilege	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

pid	process
1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe
1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exetaskeng.exe7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe

description	pid	process	target process
PID 1728 wrote to memory of 1660	1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1728 wrote to memory of 1660	1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1728 wrote to memory of 1660	1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1728 wrote to memory of 1660	1728	5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1660 wrote to memory of 960	1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1660 wrote to memory of 960	1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1660 wrote to memory of 960	1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1660 wrote to memory of 960	1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1660 wrote to memory of 960	1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1660 wrote to memory of 960	1660	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1016 wrote to memory of 1892	1016	taskeng.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1016 wrote to memory of 1892	1016	taskeng.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1016 wrote to memory of 1892	1016	taskeng.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1016 wrote to memory of 1892	1016	taskeng.exe	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
PID 1892 wrote to memory of 1164	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1892 wrote to memory of 1164	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1892 wrote to memory of 1164	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1892 wrote to memory of 1164	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1892 wrote to memory of 1164	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe
PID 1892 wrote to memory of 1164	1892	7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe
"C:\Users\Admin\AppData\Local\Temp\5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:960

C:\Windows\system32\taskeng.exe
taskeng.exe {2E9661C2-2A0D-4CE8-B938-8B39385B9133} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1164

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
Filesize
432KB

MD5
77a940af07da194ff27c1d33fd7dce73

SHA1
af15833d70ab5dccb3014616b3e24259b802f2c4

SHA256
5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d

SHA512
f5d92f1c8d23f4bfc32004e8dbd7d88f732a455bdf94e10e6a5a456e7e4762006d3b17550822496b8a3f6f06c4de68152b4f650c1546159b55a90a59649f8dd0

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
Filesize
432KB

MD5
77a940af07da194ff27c1d33fd7dce73

SHA1
af15833d70ab5dccb3014616b3e24259b802f2c4

SHA256
5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d

SHA512
f5d92f1c8d23f4bfc32004e8dbd7d88f732a455bdf94e10e6a5a456e7e4762006d3b17550822496b8a3f6f06c4de68152b4f650c1546159b55a90a59649f8dd0

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
Filesize
432KB

MD5
77a940af07da194ff27c1d33fd7dce73

SHA1
af15833d70ab5dccb3014616b3e24259b802f2c4

SHA256
5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d

SHA512
f5d92f1c8d23f4bfc32004e8dbd7d88f732a455bdf94e10e6a5a456e7e4762006d3b17550822496b8a3f6f06c4de68152b4f650c1546159b55a90a59649f8dd0

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
Filesize
432KB

MD5
77a940af07da194ff27c1d33fd7dce73

SHA1
af15833d70ab5dccb3014616b3e24259b802f2c4

SHA256
5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d

SHA512
f5d92f1c8d23f4bfc32004e8dbd7d88f732a455bdf94e10e6a5a456e7e4762006d3b17550822496b8a3f6f06c4de68152b4f650c1546159b55a90a59649f8dd0

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\7734b9acb499f398230d38289a4218c8712a3fe2f843b0c7fd04d84c07d79f7d.exe
Filesize
432KB

MD5
77a940af07da194ff27c1d33fd7dce73

SHA1
af15833d70ab5dccb3014616b3e24259b802f2c4

SHA256
5534b7acb497f398230d38287a4216c8512a3fe2f643b0c5fd04d64c05d57f5d

SHA512
f5d92f1c8d23f4bfc32004e8dbd7d88f732a455bdf94e10e6a5a456e7e4762006d3b17550822496b8a3f6f06c4de68152b4f650c1546159b55a90a59649f8dd0

Download Submit
memory/960-73-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/960-69-0x0000000000000000-mapping.dmp

Download
memory/960-72-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1164-86-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1164-85-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1164-82-0x0000000000000000-mapping.dmp

Download
memory/1660-61-0x0000000000000000-mapping.dmp

Download
memory/1660-70-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1660-71-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1728-65-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1728-56-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1728-58-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1892-75-0x0000000000000000-mapping.dmp

Download
memory/1892-83-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1892-84-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads