trickbot | 3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

General

Target

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
Size

505KB
MD5

57cde74b65e113c5df45c1668100d4c5
SHA1

0e8b1073bee392aa99eb9c4400a39219fba4c022
SHA256

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480
SHA512

c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Score

10^/10

trickbot wmd38 banker dave trojan

Malware Config

Extracted

Family

trickbot

Version

1000497

Botnet

wmd38

C2

5.182.210.226:443

5.182.210.246:443

82.146.62.52:443

198.8.91.10:443

195.123.221.53:443

51.89.115.116:443

164.68.120.56:443

85.204.116.237:443

5.2.75.167:443

93.189.42.146:443

185.252.144.174:443

81.177.165.145:443

217.107.34.151:443

146.185.219.165:443

194.87.238.87:443

146.185.253.18:443

194.5.250.155:443

195.123.216.223:443

185.99.2.160:443

5.182.210.230:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 10 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2032-55-0x0000000001EE0000-0x0000000001F14000-memory.dmp	trickbot_loader32
behavioral1/memory/2032-63-0x0000000000250000-0x0000000000281000-memory.dmp	trickbot_loader32
behavioral1/memory/1588-65-0x0000000000300000-0x0000000000334000-memory.dmp	trickbot_loader32
behavioral1/memory/1588-69-0x0000000000570000-0x00000000005A0000-memory.dmp	trickbot_loader32
behavioral1/memory/1588-70-0x00000000003C0000-0x00000000003F0000-memory.dmp	trickbot_loader32
behavioral1/memory/1588-71-0x0000000000571000-0x00000000005A0000-memory.dmp	trickbot_loader32
behavioral1/memory/1588-75-0x0000000000571000-0x00000000005A0000-memory.dmp	trickbot_loader32
behavioral1/memory/804-81-0x00000000009A0000-0x00000000009D4000-memory.dmp	trickbot_loader32
behavioral1/memory/804-86-0x00000000009E1000-0x0000000000A10000-memory.dmp	trickbot_loader32
behavioral1/memory/804-89-0x00000000009E1000-0x0000000000A10000-memory.dmp	trickbot_loader32

Dave packer 4 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/2032-55-0x0000000001EE0000-0x0000000001F14000-memory.dmp	dave
behavioral1/memory/2032-63-0x0000000000250000-0x0000000000281000-memory.dmp	dave
behavioral1/memory/1588-65-0x0000000000300000-0x0000000000334000-memory.dmp	dave
behavioral1/memory/804-81-0x00000000009A0000-0x00000000009D4000-memory.dmp	dave

Executes dropped EXE 2 IoCs

Processes:

ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

pid process

1588 ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
804 ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Loads dropped DLL 1 IoCs

Processes:

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe

pid process

2032 3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

pid	process
2032	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exetaskeng.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

description	pid	process	target process
PID 2032 wrote to memory of 1588	2032	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 2032 wrote to memory of 1588	2032	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 2032 wrote to memory of 1588	2032	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 2032 wrote to memory of 1588	2032	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 1588 wrote to memory of 1524	1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1588 wrote to memory of 1524	1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1588 wrote to memory of 1524	1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1588 wrote to memory of 1524	1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1588 wrote to memory of 1524	1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1588 wrote to memory of 1524	1588	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1592 wrote to memory of 804	1592	taskeng.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 1592 wrote to memory of 804	1592	taskeng.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 1592 wrote to memory of 804	1592	taskeng.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 1592 wrote to memory of 804	1592	taskeng.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 804 wrote to memory of 1064	804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 804 wrote to memory of 1064	804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 804 wrote to memory of 1064	804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 804 wrote to memory of 1064	804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 804 wrote to memory of 1064	804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 804 wrote to memory of 1064	804	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
"C:\Users\Admin\AppData\Local\Temp\3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
"C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1524

C:\Windows\system32\taskeng.exe
taskeng.exe {12BF413E-F569-4160-A46A-B333CBBE0E47} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1064

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
memory/804-89-0x00000000009E1000-0x0000000000A10000-memory.dmp

Filesize
188KB

Download
memory/804-86-0x00000000009E1000-0x0000000000A10000-memory.dmp

Filesize
188KB

Download
memory/804-81-0x00000000009A0000-0x00000000009D4000-memory.dmp

Filesize
208KB

Download
memory/804-78-0x0000000000000000-mapping.dmp

Download
memory/1064-88-0x0000000000060000-0x0000000000082000-memory.dmp

Filesize
136KB

Download
memory/1064-87-0x0000000000000000-mapping.dmp

Download
memory/1524-76-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1524-72-0x0000000000000000-mapping.dmp

Download
memory/1524-74-0x00000000000E0000-0x0000000000102000-memory.dmp

Filesize
136KB

Download
memory/1588-70-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/1588-75-0x0000000000571000-0x00000000005A0000-memory.dmp

Filesize
188KB

Download
memory/1588-73-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1588-71-0x0000000000571000-0x00000000005A0000-memory.dmp

Filesize
188KB

Download
memory/1588-60-0x0000000000000000-mapping.dmp

Download
memory/1588-69-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/1588-65-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2032-55-0x0000000001EE0000-0x0000000001F14000-memory.dmp

Filesize
208KB

Download
memory/2032-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2032-63-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads