trickbot | 3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

General

Target

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
Size

620KB
MD5

c1823f10c2540a557d85bb9ae73a148e
SHA1

36a288be0acf1d50a4602ee99ab1df113b40bb9c
SHA256

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1
SHA512

19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Score

10^/10

trickbot kin4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000474

Botnet

kin4

C2

51.68.247.62:443

37.228.117.146:443

91.132.139.170:443

37.44.212.216:443

31.184.253.37:443

51.254.69.244:443

194.5.250.82:443

5.230.22.40:443

185.222.202.222:443

46.30.41.229:443

203.23.128.168:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

146.196.122.167:449

177.103.240.149:449

181.199.102.179:449

200.21.51.38:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/956-61-0x00000000004A0000-0x00000000004CD000-memory.dmp	trickbot_loader32
behavioral1/memory/956-63-0x00000000004A0000-0x00000000004CD000-memory.dmp	trickbot_loader32
behavioral1/memory/276-70-0x0000000000EF0000-0x0000000000F1D000-memory.dmp	trickbot_loader32
behavioral1/memory/276-72-0x0000000000EF0000-0x0000000000F1D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

দগসগহু্িমুনপত.exeদগসগহু্িমুনপত.exe

pid process

956 দগসগহু্িমুনপত.exe
276 দগসগহু্িমুনপত.exe

pid	process
956	দগসগহু্িমুনপত.exe
276	দগসগহু্িমুনপত.exe

Loads dropped DLL 2 IoCs

Processes:

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe

pid	process
912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 580 svchost.exe

description	pid	process
Token: SeTcbPrivilege	580	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exeদগসগহু্িমুনপত.exeদগসগহু্িমুনপত.exe

pid	process
912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
956	দগসগহু্িমুনপত.exe
276	দগসগহু্িমুনপত.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exeদগসগহু্িমুনপত.exetaskeng.exeদগসগহু্িমুনপত.exe

description	pid	process	target process
PID 912 wrote to memory of 956	912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 912 wrote to memory of 956	912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 912 wrote to memory of 956	912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 912 wrote to memory of 956	912	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 956 wrote to memory of 1696	956	দগসগহু্িমুনপত.exe	svchost.exe
PID 956 wrote to memory of 1696	956	দগসগহু্িমুনপত.exe	svchost.exe
PID 956 wrote to memory of 1696	956	দগসগহু্িমুনপত.exe	svchost.exe
PID 956 wrote to memory of 1696	956	দগসগহু্িমুনপত.exe	svchost.exe
PID 956 wrote to memory of 1696	956	দগসগহু্িমুনপত.exe	svchost.exe
PID 956 wrote to memory of 1696	956	দগসগহু্িমুনপত.exe	svchost.exe
PID 1300 wrote to memory of 276	1300	taskeng.exe	দগসগহু্িমুনপত.exe
PID 1300 wrote to memory of 276	1300	taskeng.exe	দগসগহু্িমুনপত.exe
PID 1300 wrote to memory of 276	1300	taskeng.exe	দগসগহু্িমুনপত.exe
PID 1300 wrote to memory of 276	1300	taskeng.exe	দগসগহু্িমুনপত.exe
PID 276 wrote to memory of 580	276	দগসগহু্িমুনপত.exe	svchost.exe
PID 276 wrote to memory of 580	276	দগসগহু্িমুনপত.exe	svchost.exe
PID 276 wrote to memory of 580	276	দগসগহু্িমুনপত.exe	svchost.exe
PID 276 wrote to memory of 580	276	দগসগহু্িমুনপত.exe	svchost.exe
PID 276 wrote to memory of 580	276	দগসগহু্িমুনপত.exe	svchost.exe
PID 276 wrote to memory of 580	276	দগসগহু্িমুনপত.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
"C:\Users\Admin\AppData\Local\Temp\3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\ProgramData\দগসগহু্িমুনপত.exe
"C:\ProgramData\দগসগহু্িমুনপত.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1696

C:\Windows\system32\taskeng.exe
taskeng.exe {CCA01A66-7EE6-4316-9429-683D95CFD34B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
C:\ProgramData\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
\ProgramData\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
\ProgramData\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
memory/276-67-0x0000000000000000-mapping.dmp

Download
memory/276-70-0x0000000000EF0000-0x0000000000F1D000-memory.dmp

Filesize
180KB

Download
memory/276-72-0x0000000000EF0000-0x0000000000F1D000-memory.dmp

Filesize
180KB

Download
memory/580-71-0x0000000000000000-mapping.dmp

Download
memory/580-73-0x0000000000060000-0x000000000007D000-memory.dmp

Filesize
116KB

Download
memory/580-74-0x0000000000060000-0x000000000007D000-memory.dmp

Filesize
116KB

Download
memory/912-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/956-63-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download
memory/956-61-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/1696-62-0x0000000000000000-mapping.dmp

Download
memory/1696-64-0x0000000000060000-0x000000000007D000-memory.dmp

Filesize
116KB

Download
memory/1696-65-0x0000000000060000-0x000000000007D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads