trickbot | 7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552

Analysis

Target

7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe
Size

162KB
MD5

cb469a6e407467018e844341d9e33319
SHA1

2b967f03b44866b3f48a55f494ca4bf267cd5adf
SHA256

7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552
SHA512

08cac052aaa95706e6a7001ed428fb6f646e0a1e245bf1aab7c02726386f905a38b89ad013243a07111ddef59e45795da375e4cb1f8ef76a0018e6a84005ccc5

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1700-54-0x0000000000330000-0x0000000000339000-memory.dmp	trickbot_loader32
behavioral1/memory/1700-55-0x0000000000330000-0x0000000000339000-memory.dmp	trickbot_loader32
behavioral1/memory/1700-57-0x0000000000330000-0x0000000000339000-memory.dmp	trickbot_loader32

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 596	1700	7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe	cmd.exe
PID 1700 wrote to memory of 596	1700	7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe	cmd.exe
PID 1700 wrote to memory of 596	1700	7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe	cmd.exe
PID 1700 wrote to memory of 596	1700	7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe	cmd.exe
PID 596 wrote to memory of 584	596	cmd.exe	powershell.exe
PID 596 wrote to memory of 584	596	cmd.exe	powershell.exe
PID 596 wrote to memory of 584	596	cmd.exe	powershell.exe
PID 596 wrote to memory of 584	596	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe
"C:\Users\Admin\AppData\Local\Temp\7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\7d038093ccb23e2344f2600956d02c92257ddee37dce2cdb214412739a96b552.exe"
3⤵
PID:584

memory/584-58-0x0000000000000000-mapping.dmp

Download
memory/584-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/596-56-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/1700-55-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download
memory/1700-57-0x0000000000330000-0x0000000000339000-memory.dmp

Filesize
36KB

Download