trickbot | ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c

General

Target

ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe
Size

545KB
MD5

573835d85e963507b07123fcb20a121b
SHA1

9926c45a64b6e85897f35b2e9df226f7ea5e68fd
SHA256

ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c
SHA512

7bac91e3235a1c46f6b885d18d4cc50c33dbe68c6f7c1daade0dd7c99d6717556d7f6b07d704f9b93974192a1c39879a76a723e3ce9628f9452ba8d7177ca605

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1672-54-0x0000000000370000-0x0000000000379000-memory.dmp	trickbot_loader32
behavioral1/memory/1672-56-0x0000000000370000-0x0000000000379000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2004 powershell.exe

pid	process
2004	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2004 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2004 powershell.exe

pid	process
2004	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2004	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 992	1672	ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe	cmd.exe
PID 1672 wrote to memory of 992	1672	ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe	cmd.exe
PID 1672 wrote to memory of 992	1672	ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe	cmd.exe
PID 1672 wrote to memory of 992	1672	ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe	cmd.exe
PID 992 wrote to memory of 2004	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 2004	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 2004	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 2004	992	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe
"C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\ced5f6300ee6bd51b53cfa353c4fecb123ec651decb447707ad5aa030480523c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:992

memory/992-55-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/1672-56-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/2004-57-0x0000000000000000-mapping.dmp

Download
memory/2004-58-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/2004-59-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-60-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download