trickbot | 3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

General

Target

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
Size

505KB
MD5

57cde74b65e113c5df45c1668100d4c5
SHA1

0e8b1073bee392aa99eb9c4400a39219fba4c022
SHA256

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480
SHA512

c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Score

10^/10

trickbot wmd38 banker dave trojan

Malware Config

Extracted

Family

trickbot

Version

1000497

Botnet

wmd38

C2

5.182.210.226:443

5.182.210.246:443

82.146.62.52:443

198.8.91.10:443

195.123.221.53:443

51.89.115.116:443

164.68.120.56:443

85.204.116.237:443

5.2.75.167:443

93.189.42.146:443

185.252.144.174:443

81.177.165.145:443

217.107.34.151:443

146.185.219.165:443

194.87.238.87:443

146.185.253.18:443

194.5.250.155:443

195.123.216.223:443

185.99.2.160:443

5.182.210.230:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 10 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2220-130-0x0000000002420000-0x0000000002454000-memory.dmp	trickbot_loader32
behavioral2/memory/2220-134-0x0000000002280000-0x00000000022B1000-memory.dmp	trickbot_loader32
behavioral2/memory/1732-138-0x0000000002390000-0x00000000023C4000-memory.dmp	trickbot_loader32
behavioral2/memory/1732-142-0x00000000007C0000-0x00000000007F0000-memory.dmp	trickbot_loader32
behavioral2/memory/1732-143-0x0000000000610000-0x0000000000640000-memory.dmp	trickbot_loader32
behavioral2/memory/1732-144-0x00000000007C1000-0x00000000007F0000-memory.dmp	trickbot_loader32
behavioral2/memory/1732-149-0x00000000007C1000-0x00000000007F0000-memory.dmp	trickbot_loader32
behavioral2/memory/3824-152-0x0000000000E40000-0x0000000000E74000-memory.dmp	trickbot_loader32
behavioral2/memory/3824-157-0x0000000000FF1000-0x0000000001020000-memory.dmp	trickbot_loader32
behavioral2/memory/3824-160-0x0000000000FF1000-0x0000000001020000-memory.dmp	trickbot_loader32

Dave packer 4 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/2220-130-0x0000000002420000-0x0000000002454000-memory.dmp	dave
behavioral2/memory/2220-134-0x0000000002280000-0x00000000022B1000-memory.dmp	dave
behavioral2/memory/1732-138-0x0000000002390000-0x00000000023C4000-memory.dmp	dave
behavioral2/memory/3824-152-0x0000000000E40000-0x0000000000E74000-memory.dmp	dave

Executes dropped EXE 2 IoCs

Processes:

ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

pid process

1732 ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
3824 ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

pid	process
1732	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
3824	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 2196 svchost.exe

description	pid	process
Token: SeTcbPrivilege	2196	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

pid	process
2220	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
1732	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
3824	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exeᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe

description	pid	process	target process
PID 2220 wrote to memory of 1732	2220	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 2220 wrote to memory of 1732	2220	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 2220 wrote to memory of 1732	2220	3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
PID 1732 wrote to memory of 4320	1732	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1732 wrote to memory of 4320	1732	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1732 wrote to memory of 4320	1732	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 1732 wrote to memory of 4320	1732	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 3824 wrote to memory of 2196	3824	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 3824 wrote to memory of 2196	3824	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 3824 wrote to memory of 2196	3824	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe
PID 3824 wrote to memory of 2196	3824	ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe
"C:\Users\Admin\AppData\Local\Temp\3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
"C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4320

C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
C:\ProgramData\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ᠷᠳᠹᠭᠭռգռգռգᠲᠬᠬᠭᠬ.exe
Filesize
505KB

MD5
57cde74b65e113c5df45c1668100d4c5

SHA1
0e8b1073bee392aa99eb9c4400a39219fba4c022

SHA256
3707cbfe93439bc28a86c4e3e5acc878617372bd0baf69f78f990c672b6b5480

SHA512
c5148df379aa0f4d2100f1530ea5b2a2568f1b055705e68d9085022b5df803271e4bb6fefa97c7b9a9899b6e99eb145613a4eb79836bc51739a6bc9ea0e33ae2

Download Submit
memory/1732-138-0x0000000002390000-0x00000000023C4000-memory.dmp

Filesize
208KB

Download
memory/1732-142-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/1732-143-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/1732-144-0x00000000007C1000-0x00000000007F0000-memory.dmp

Filesize
188KB

Download
memory/1732-146-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1732-149-0x00000000007C1000-0x00000000007F0000-memory.dmp

Filesize
188KB

Download
memory/1732-135-0x0000000000000000-mapping.dmp

Download
memory/2196-161-0x000001C1D2C00000-0x000001C1D2C22000-memory.dmp

Filesize
136KB

Download
memory/2196-159-0x000001C1D2C00000-0x000001C1D2C22000-memory.dmp

Filesize
136KB

Download
memory/2196-158-0x0000000000000000-mapping.dmp

Download
memory/2220-130-0x0000000002420000-0x0000000002454000-memory.dmp

Filesize
208KB

Download
memory/2220-134-0x0000000002280000-0x00000000022B1000-memory.dmp

Filesize
196KB

Download
memory/3824-157-0x0000000000FF1000-0x0000000001020000-memory.dmp

Filesize
188KB

Download
memory/3824-152-0x0000000000E40000-0x0000000000E74000-memory.dmp

Filesize
208KB

Download
memory/3824-160-0x0000000000FF1000-0x0000000001020000-memory.dmp

Filesize
188KB

Download
memory/4320-148-0x0000024A1D9F0000-0x0000024A1DA12000-memory.dmp

Filesize
136KB

Download
memory/4320-147-0x0000024A1D9F0000-0x0000024A1DA12000-memory.dmp

Filesize
136KB

Download
memory/4320-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads