trickbot | bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb

General

Target

bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
Size

567KB
MD5

0cd4def993787db96cced94d5fbbd3d7
SHA1

c81a923e6924286cd3506ccebe4ae9597f55c7dc
SHA256

bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb
SHA512

045eeb9b3854f7adea628f1180a1c799f2953f1c70c27ad5b0cc829ca6f633f37c40d89eb96270d7ba40588e587d390bf22aa3dde832dd7d4d8fa2df19406afc

Score

10^/10

trickbot ddd5 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000496

Botnet

ddd5

C2

5.182.210.226:443

85.204.116.128:443

185.62.188.34:443

5.2.78.43:443

79.143.31.246:443

93.189.46.122:443

31.184.254.50:443

195.123.217.226:443

185.99.2.117:443

104.168.96.113:443

188.165.62.36:443

5.182.210.246:443

5.2.78.98:443

185.142.99.8:443

185.252.144.135:443

82.146.62.52:443

212.109.220.111:443

91.235.129.25:443

5.182.210.109:443

198.8.91.10:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/736-61-0x0000000000320000-0x0000000000350000-memory.dmp	trickbot_loader32
behavioral1/memory/736-64-0x0000000000321000-0x0000000000350000-memory.dmp	trickbot_loader32
behavioral1/memory/736-63-0x0000000000250000-0x000000000027F000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

гнпроаааааа.exe

pid process

736 гнпроаааааа.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe

pid	process
736	гнпроаааааа.exe

pid	process
1348	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe

pid	process
1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2040 PING.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

гнпроаааааа.exe

pid process

736 гнпроаааааа.exe

pid	process
2040	PING.EXE

pid	process
736	гнпроаааааа.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.execmd.exe

description	pid	process	target process
PID 1896 wrote to memory of 736	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	гнпроаааааа.exe
PID 1896 wrote to memory of 736	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	гнпроаааааа.exe
PID 1896 wrote to memory of 736	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	гнпроаааааа.exe
PID 1896 wrote to memory of 736	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	гнпроаааааа.exe
PID 1896 wrote to memory of 1348	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	cmd.exe
PID 1896 wrote to memory of 1348	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	cmd.exe
PID 1896 wrote to memory of 1348	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	cmd.exe
PID 1896 wrote to memory of 1348	1896	bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe	cmd.exe
PID 1348 wrote to memory of 2040	1348	cmd.exe	PING.EXE
PID 1348 wrote to memory of 2040	1348	cmd.exe	PING.EXE
PID 1348 wrote to memory of 2040	1348	cmd.exe	PING.EXE
PID 1348 wrote to memory of 2040	1348	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe
"C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\ProgramData\гнпроаааааа.exe
"C:\ProgramData\гнпроаааааа.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\bee3e999d337475d1cd6bca087410be0afefbb5036fcb500a15c79c3c45daceb.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:2040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\гнпроаааааа.exe
Filesize
272KB

MD5
2ea7224a97ba74607275231bde318c2f

SHA1
da62536c5b9246a99dfb8c6c7223a6dc81e7986a

SHA256
6d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66

SHA512
b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3

Download Submit
\ProgramData\гнпроаааааа.exe
Filesize
272KB

MD5
2ea7224a97ba74607275231bde318c2f

SHA1
da62536c5b9246a99dfb8c6c7223a6dc81e7986a

SHA256
6d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66

SHA512
b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3

Download Submit
\ProgramData\гнпроаааааа.exe
Filesize
272KB

MD5
2ea7224a97ba74607275231bde318c2f

SHA1
da62536c5b9246a99dfb8c6c7223a6dc81e7986a

SHA256
6d895de3e87c8a28b64240eb13113cc4598451e4dd6c7e8a9bcc8dac31657d66

SHA512
b1149076c39835c5a773fb8f257893231d4faf340acc943fc780d9ebf48c4ada102965700020dea56fac85f68ccc0e86ac0c4e96e3492f6c7d4439bccda80ec3

Download Submit
memory/736-57-0x0000000000000000-mapping.dmp

Download
memory/736-61-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/736-64-0x0000000000321000-0x0000000000350000-memory.dmp

Filesize
188KB

Download
memory/736-63-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1348-59-0x0000000000000000-mapping.dmp

Download
memory/1896-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads