trickbot | da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6

General

Target

da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe
Size

296KB
MD5

884b9ba2a87f49828659b2c5a01c0dae
SHA1

9ab732009d02f9b82ec02e4dbbd92106652ddb77
SHA256

da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6
SHA512

810dc40fe36179abec96a4cce45e340710cab605b0c2eb89a57679c75318c1c58003c59db1beed3d96af872a481a6b84b01b8fe7833db6808744f2154afba203

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1968-55-0x00000000003F0000-0x00000000003F9000-memory.dmp	trickbot_loader32
behavioral1/memory/1968-56-0x00000000003F0000-0x00000000003F9000-memory.dmp	trickbot_loader32
behavioral1/memory/1968-58-0x00000000003F0000-0x00000000003F9000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1824 powershell.exe

pid	process
1824	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1824 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1824 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe

pid process

1968 da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe

pid	process
1824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1824	powershell.exe

pid	process
1968	da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 936	1968	da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe	cmd.exe
PID 1968 wrote to memory of 936	1968	da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe	cmd.exe
PID 1968 wrote to memory of 936	1968	da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe	cmd.exe
PID 1968 wrote to memory of 936	1968	da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe	cmd.exe
PID 936 wrote to memory of 1824	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 1824	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 1824	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 1824	936	cmd.exe	powershell.exe

C:\Windows\SysWOW64\cmd.exe
/C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\da75bffa697de8d12806a2141cf2099a2c39f0b5bc259586fa22911082513aa6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:936

memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/1824-59-0x0000000000000000-mapping.dmp

Download
memory/1824-61-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/1824-62-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1968-55-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1968-56-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1968-58-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download