trickbot | 3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

General

Target

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
Size

620KB
MD5

c1823f10c2540a557d85bb9ae73a148e
SHA1

36a288be0acf1d50a4602ee99ab1df113b40bb9c
SHA256

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1
SHA512

19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Score

10^/10

trickbot kin4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000474

Botnet

kin4

C2

51.68.247.62:443

37.228.117.146:443

91.132.139.170:443

37.44.212.216:443

31.184.253.37:443

51.254.69.244:443

194.5.250.82:443

5.230.22.40:443

185.222.202.222:443

46.30.41.229:443

203.23.128.168:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

146.196.122.167:449

177.103.240.149:449

181.199.102.179:449

200.21.51.38:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1012-133-0x00000000021D0000-0x00000000021FD000-memory.dmp	trickbot_loader32
behavioral2/memory/1012-135-0x00000000021D0000-0x00000000021FD000-memory.dmp	trickbot_loader32
behavioral2/memory/3520-141-0x0000000000E70000-0x0000000000E9D000-memory.dmp	trickbot_loader32
behavioral2/memory/3520-143-0x0000000000E70000-0x0000000000E9D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

দগসগহু্িমুনপত.exeদগসগহু্িমুনপত.exe

pid process

1012 দগসগহু্িমুনপত.exe
3520 দগসগহু্িমুনপত.exe

pid	process
1012	দগসগহু্িমুনপত.exe
3520	দগসগহু্িমুনপত.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 4252 svchost.exe

description	pid	process
Token: SeTcbPrivilege	4252	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exeদগসগহু্িমুনপত.exeদগসগহু্িমুনপত.exe

pid	process
4752	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
1012	দগসগহু্িমুনপত.exe
3520	দগসগহু্িমুনপত.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exeদগসগহু্িমুনপত.exeদগসগহু্িমুনপত.exe

description	pid	process	target process
PID 4752 wrote to memory of 1012	4752	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 4752 wrote to memory of 1012	4752	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 4752 wrote to memory of 1012	4752	3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe	দগসগহু্িমুনপত.exe
PID 1012 wrote to memory of 3084	1012	দগসগহু্িমুনপত.exe	svchost.exe
PID 1012 wrote to memory of 3084	1012	দগসগহু্িমুনপত.exe	svchost.exe
PID 1012 wrote to memory of 3084	1012	দগসগহু্িমুনপত.exe	svchost.exe
PID 1012 wrote to memory of 3084	1012	দগসগহু্িমুনপত.exe	svchost.exe
PID 3520 wrote to memory of 4252	3520	দগসগহু্িমুনপত.exe	svchost.exe
PID 3520 wrote to memory of 4252	3520	দগসগহু্িমুনপত.exe	svchost.exe
PID 3520 wrote to memory of 4252	3520	দগসগহু্িমুনপত.exe	svchost.exe
PID 3520 wrote to memory of 4252	3520	দগসগহু্িমুনপত.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe
"C:\Users\Admin\AppData\Local\Temp\3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752

C:\ProgramData\দগসগহু্িমুনপত.exe
"C:\ProgramData\দগসগহু্িমুনপত.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3084

C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
C:\ProgramData\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
C:\Users\Admin\AppData\Roaming\iCloud\দগসগহু্িমুনপত.exe
Filesize
620KB

MD5
c1823f10c2540a557d85bb9ae73a148e

SHA1
36a288be0acf1d50a4602ee99ab1df113b40bb9c

SHA256
3b9c6021ac6a2d0a194851ab815d0c7d2d690acd51ac826142644a2d78ba88a1

SHA512
19a81cbd69c002f56a884fd0dad7299d3bf49f3c45770e36c9f0345a49ba69f142e0378bb4d5881040f5daa348e1988dc1d02502394710352ace670735450b81

Download Submit
memory/1012-130-0x0000000000000000-mapping.dmp

Download
memory/1012-133-0x00000000021D0000-0x00000000021FD000-memory.dmp

Filesize
180KB

Download
memory/1012-136-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1012-135-0x00000000021D0000-0x00000000021FD000-memory.dmp

Filesize
180KB

Download
memory/3084-138-0x000002304E410000-0x000002304E42D000-memory.dmp

Filesize
116KB

Download
memory/3084-137-0x000002304E410000-0x000002304E42D000-memory.dmp

Filesize
116KB

Download
memory/3084-134-0x0000000000000000-mapping.dmp

Download
memory/3520-141-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download
memory/3520-143-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download
memory/4252-142-0x0000000000000000-mapping.dmp

Download
memory/4252-144-0x000001B5080A0000-0x000001B5080BD000-memory.dmp

Filesize
116KB

Download
memory/4252-145-0x000001B5080A0000-0x000001B5080BD000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads