trickbot | 5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3

General

Target

5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
Size

383KB
MD5

366c27888902481f1e12ebbfa9ce946a
SHA1

7801599ce1123bfe5990534d0c649ec913aae5cd
SHA256

5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3
SHA512

6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5

Score

10^/10

trickbot ser1025us banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000287

Botnet

ser1025us

C2

193.111.63.208:443

68.3.14.71:443

174.105.235.178:449

5.196.131.249:443

181.113.17.230:449

205.157.150.98:443

185.251.38.187:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

82.202.236.66:443

74.140.160.33:449

76.181.182.166:449

140.190.54.187:449

82.222.40.119:449

24.119.69.70:449

188.68.208.242:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2020-79-0x0000000000260000-0x00000000002A0000-memory.dmp	trickbot_loader32
behavioral1/memory/1584-80-0x0000000000170000-0x00000000001B0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe

pid process

1584 6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe

pid process

2020 5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe

pid	process
1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1404 sc.exe
1528 sc.exe

pid	process
1404	sc.exe
1528	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exepowershell.exe

pid	process
2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1740 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1740	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.execmd.execmd.execmd.exe6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe

description	pid	process	target process
PID 2020 wrote to memory of 1028	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1028	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1028	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1028	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1312	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1312	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1312	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1312	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 984	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 984	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 984	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 984	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	cmd.exe
PID 2020 wrote to memory of 1584	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
PID 2020 wrote to memory of 1584	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
PID 2020 wrote to memory of 1584	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
PID 2020 wrote to memory of 1584	2020	5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
PID 1312 wrote to memory of 1404	1312	cmd.exe	sc.exe
PID 1312 wrote to memory of 1404	1312	cmd.exe	sc.exe
PID 1312 wrote to memory of 1404	1312	cmd.exe	sc.exe
PID 1312 wrote to memory of 1404	1312	cmd.exe	sc.exe
PID 984 wrote to memory of 1740	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 1740	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 1740	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 1740	984	cmd.exe	powershell.exe
PID 1028 wrote to memory of 1528	1028	cmd.exe	sc.exe
PID 1028 wrote to memory of 1528	1028	cmd.exe	sc.exe
PID 1028 wrote to memory of 1528	1028	cmd.exe	sc.exe
PID 1028 wrote to memory of 1528	1028	cmd.exe	sc.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe
PID 1584 wrote to memory of 1288	1584	6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
"C:\Users\Admin\AppData\Local\Temp\5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1528

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:1404

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1288

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3762437355-3468409815-1164039494-1000\0f5007522459c86e95ffcc62f32308f1_327f7753-eed3-43ec-871a-c7bcf65868ec
Filesize
1KB

MD5
9867c229bd7125d11d62a43a4e242df2

SHA1
f32eebbdefec4ff5c6cd856e8217557df3b41790

SHA256
cab862a40aa80512c215612821e1f972fa1f337dd8977d4ca2e3c88172d6fb4b

SHA512
7b18d6c04371007420709e35d3a1d9624b05a2034d826c3cfce8e0b55517ffd175bff91be5fab2632a369218740c1393cc5211253e523e9750ea2c182fbdaaee

Download Submit
C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
Filesize
383KB

MD5
366c27888902481f1e12ebbfa9ce946a

SHA1
7801599ce1123bfe5990534d0c649ec913aae5cd

SHA256
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3

SHA512
6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5

Download Submit
\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
Filesize
383KB

MD5
366c27888902481f1e12ebbfa9ce946a

SHA1
7801599ce1123bfe5990534d0c649ec913aae5cd

SHA256
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3

SHA512
6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5

Download Submit
memory/984-57-0x0000000000000000-mapping.dmp

Download
memory/1028-55-0x0000000000000000-mapping.dmp

Download
memory/1288-70-0x0000000000000000-mapping.dmp

Download
memory/1288-73-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/1312-56-0x0000000000000000-mapping.dmp

Download
memory/1404-62-0x0000000000000000-mapping.dmp

Download
memory/1528-64-0x0000000000000000-mapping.dmp

Download
memory/1584-59-0x0000000000000000-mapping.dmp

Download
memory/1584-67-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1584-80-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/1740-81-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1740-82-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/2020-79-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads