trickbot | 4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12/07/2022, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9.exe
Size

191KB
MD5

60bdd4902b48e69b25eeee4df19ad417
SHA1

2848018b904ef4faa2dabbb47c3816c3fb051d46
SHA256

4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9
SHA512

673cc67fc3bf238aa0e8bcf7fa9df60887aac380ad023a1710d997fc4ff5a6d6473992ac00a6b912a2ddbf3296f10f14784dda0eea401d130545c67052e139be

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2960-130-0x0000000000E00000-0x0000000000E29000-memory.dmp	trickbot_loader32
behavioral2/memory/2960-135-0x0000000000E00000-0x0000000000E29000-memory.dmp	trickbot_loader32
behavioral2/memory/2236-146-0x00000000006A0000-0x00000000006C9000-memory.dmp	trickbot_loader32
behavioral2/memory/2272-158-0x00000000007A0000-0x00000000007C9000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe
2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2236	2960	4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9.exe	79
PID 2960 wrote to memory of 2236	2960	4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9.exe	79
PID 2960 wrote to memory of 2236	2960	4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9.exe	79
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2236 wrote to memory of 2864	2236	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	80
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83
PID 2272 wrote to memory of 4300	2272	4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe	83

C:\Users\Admin\AppData\Local\Temp\4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9.exe
"C:\Users\Admin\AppData\Local\Temp\4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe
  C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2864

C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe
C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\0f5007522459c86e95ffcc62f32308f1_2c37a701-1043-4f89-b4d1-d05ed25c6971

Filesize
1KB

MD5
2bae5bcb7dfb9e7ab5ca4f917dba5b68

SHA1
43fbbc28e005a3092e8bb20853bbb573256a5200

SHA256
224e44a84d18fafe3ce246442cf22bb134e988a72d7f8f40dac240cfb29e9281

SHA512
c7f9b906b745a5eea47f33f29ff2d029ae038620b608aa7adfa7119c505275188491077409609a7656e94e49a5affba78ba55802cca74393d1b827ceeb6ccb19

Download Submit
C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe

Filesize
191KB

MD5
60bdd4902b48e69b25eeee4df19ad417

SHA1
2848018b904ef4faa2dabbb47c3816c3fb051d46

SHA256
4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9

SHA512
673cc67fc3bf238aa0e8bcf7fa9df60887aac380ad023a1710d997fc4ff5a6d6473992ac00a6b912a2ddbf3296f10f14784dda0eea401d130545c67052e139be

Download Submit
C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe

Filesize
191KB

MD5
60bdd4902b48e69b25eeee4df19ad417

SHA1
2848018b904ef4faa2dabbb47c3816c3fb051d46

SHA256
4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9

SHA512
673cc67fc3bf238aa0e8bcf7fa9df60887aac380ad023a1710d997fc4ff5a6d6473992ac00a6b912a2ddbf3296f10f14784dda0eea401d130545c67052e139be

Download Submit
C:\Users\Admin\AppData\Roaming\speedNetwork\4bbc66914ecf0989d939081a9c9eb9d1e29d4b64eb4182de70403437690fd2c9.exe

Filesize
191KB

MD5
60bdd4902b48e69b25eeee4df19ad417

SHA1
2848018b904ef4faa2dabbb47c3816c3fb051d46

SHA256
4bbc55814ecf0878d938071a8c8eb9d1e28d4b54eb4172de60403436590fd2c9

SHA512
673cc67fc3bf238aa0e8bcf7fa9df60887aac380ad023a1710d997fc4ff5a6d6473992ac00a6b912a2ddbf3296f10f14784dda0eea401d130545c67052e139be

Download Submit
memory/2236-137-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2236-146-0x00000000006A0000-0x00000000006C9000-memory.dmp

Filesize
164KB

Download
memory/2272-158-0x00000000007A0000-0x00000000007C9000-memory.dmp

Filesize
164KB

Download
memory/2864-142-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2960-135-0x0000000000E00000-0x0000000000E29000-memory.dmp

Filesize
164KB

Download
memory/2960-130-0x0000000000E00000-0x0000000000E29000-memory.dmp

Filesize
164KB

Download