trickbot | 4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a

General

Target

4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe
Size

432KB
MD5

cc81fe7fb6e003030f177cd05cf9e60c
SHA1

da90ab593c8906513c90143767ab6676889c898e
SHA256

4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a
SHA512

e44cf55774bbce4ed20bc1fbe21971fbbc3fcdb2af7555bf2f022266a5b1320f4c83514e1826149dce6206427cb51db05c4086996b2c7f3ab019e7bae75dada8

Score

10^/10

trickbot tot632 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000491

Botnet

tot632

C2

23.94.70.12:443

5.182.210.132:443

5.2.75.137:443

172.82.152.136:443

198.23.252.117:443

194.5.250.62:443

185.14.30.176:443

195.123.245.127:443

195.54.162.179:443

184.164.137.190:443

198.46.161.213:443

64.44.51.106:443

107.172.251.159:443

85.143.220.41:443

107.172.29.108:443

107.172.208.51:443

107.181.187.221:443

190.214.13.2:449

181.140.173.186:449

181.129.104.139:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1100-56-0x0000000000470000-0x000000000049E000-memory.dmp	trickbot_loader32
behavioral1/memory/1100-69-0x0000000000470000-0x000000000049E000-memory.dmp	trickbot_loader32
behavioral1/memory/912-70-0x0000000000270000-0x000000000029E000-memory.dmp	trickbot_loader32
behavioral1/memory/592-83-0x0000000000250000-0x000000000027E000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

pid	process
912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

Loads dropped DLL 2 IoCs

Processes:

4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe

pid	process
1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe
1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

description pid process

Token: SeTcbPrivilege 592 4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

description	pid	process
Token: SeTcbPrivilege	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

pid	process
1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe
912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exetaskeng.exe4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe

description	pid	process	target process
PID 1100 wrote to memory of 912	1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 1100 wrote to memory of 912	1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 1100 wrote to memory of 912	1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 1100 wrote to memory of 912	1100	4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 912 wrote to memory of 1964	912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 912 wrote to memory of 1964	912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 912 wrote to memory of 1964	912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 912 wrote to memory of 1964	912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 912 wrote to memory of 1964	912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 912 wrote to memory of 1964	912	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 1780 wrote to memory of 592	1780	taskeng.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 1780 wrote to memory of 592	1780	taskeng.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 1780 wrote to memory of 592	1780	taskeng.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 1780 wrote to memory of 592	1780	taskeng.exe	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
PID 592 wrote to memory of 672	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 592 wrote to memory of 672	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 592 wrote to memory of 672	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 592 wrote to memory of 672	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 592 wrote to memory of 672	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe
PID 592 wrote to memory of 672	592	4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe
"C:\Users\Admin\AppData\Local\Temp\4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {1C101BB7-2481-4780-A1C9-3E20E3B00CA3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
Filesize
432KB

MD5
cc81fe7fb6e003030f177cd05cf9e60c

SHA1
da90ab593c8906513c90143767ab6676889c898e

SHA256
4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a

SHA512
e44cf55774bbce4ed20bc1fbe21971fbbc3fcdb2af7555bf2f022266a5b1320f4c83514e1826149dce6206427cb51db05c4086996b2c7f3ab019e7bae75dada8

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
Filesize
432KB

MD5
cc81fe7fb6e003030f177cd05cf9e60c

SHA1
da90ab593c8906513c90143767ab6676889c898e

SHA256
4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a

SHA512
e44cf55774bbce4ed20bc1fbe21971fbbc3fcdb2af7555bf2f022266a5b1320f4c83514e1826149dce6206427cb51db05c4086996b2c7f3ab019e7bae75dada8

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
Filesize
432KB

MD5
cc81fe7fb6e003030f177cd05cf9e60c

SHA1
da90ab593c8906513c90143767ab6676889c898e

SHA256
4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a

SHA512
e44cf55774bbce4ed20bc1fbe21971fbbc3fcdb2af7555bf2f022266a5b1320f4c83514e1826149dce6206427cb51db05c4086996b2c7f3ab019e7bae75dada8

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
Filesize
432KB

MD5
cc81fe7fb6e003030f177cd05cf9e60c

SHA1
da90ab593c8906513c90143767ab6676889c898e

SHA256
4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a

SHA512
e44cf55774bbce4ed20bc1fbe21971fbbc3fcdb2af7555bf2f022266a5b1320f4c83514e1826149dce6206427cb51db05c4086996b2c7f3ab019e7bae75dada8

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\4278849109f34b9821a7d8f843da1e08370890c984dbbaecd897bae9fadec32a.exe
Filesize
432KB

MD5
cc81fe7fb6e003030f177cd05cf9e60c

SHA1
da90ab593c8906513c90143767ab6676889c898e

SHA256
4258847107f34b9621a5d8f843da1e06350870c784dbbaecd675bae7fadec32a

SHA512
e44cf55774bbce4ed20bc1fbe21971fbbc3fcdb2af7555bf2f022266a5b1320f4c83514e1826149dce6206427cb51db05c4086996b2c7f3ab019e7bae75dada8

Download Submit
memory/592-84-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/592-83-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/592-75-0x0000000000000000-mapping.dmp

Download
memory/672-86-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/672-85-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/672-82-0x0000000000000000-mapping.dmp

Download
memory/912-61-0x0000000000000000-mapping.dmp

Download
memory/912-71-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/912-70-0x0000000000270000-0x000000000029E000-memory.dmp

Filesize
184KB

Download
memory/1100-69-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1100-56-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1100-58-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1964-73-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1964-72-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1964-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads