trickbot | b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04

General

Target

b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe
Size

268KB
MD5

d45995955d4daa70aca8cd90cc44b836
SHA1

f8a110db571ae02c02ea709a133c34ab16f7be44
SHA256

b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04
SHA512

53d3bd30adcb3eda4b0f6f3f38dbd6951b1bbcf7bc7cfe6ba23886687d215c529542dbcdfab44828d46b29b65b0ba45f9cce3ffe37c35fe60875648d800f0bd7

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1660-54-0x0000000000250000-0x0000000000280000-memory.dmp	trickbot_loader32
behavioral1/memory/1660-56-0x0000000000220000-0x000000000024E000-memory.dmp	trickbot_loader32
behavioral1/memory/1660-58-0x0000000000251000-0x000000000027F000-memory.dmp	trickbot_loader32
behavioral1/memory/1660-60-0x0000000000251000-0x000000000027F000-memory.dmp	trickbot_loader32
behavioral1/memory/1504-70-0x0000000000451000-0x000000000047F000-memory.dmp	trickbot_loader32
behavioral1/memory/1504-72-0x0000000000451000-0x000000000047F000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe

pid process

1504 b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 572 svchost.exe

pid	process
1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe

description	pid	process
Token: SeTcbPrivilege	572	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exetaskeng.exeb20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe

description	pid	process	target process
PID 1660 wrote to memory of 1732	1660	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 1660 wrote to memory of 1732	1660	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 1660 wrote to memory of 1732	1660	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 1660 wrote to memory of 1732	1660	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 1660 wrote to memory of 1732	1660	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 1660 wrote to memory of 1732	1660	b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe	svchost.exe
PID 1708 wrote to memory of 1504	1708	taskeng.exe	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
PID 1708 wrote to memory of 1504	1708	taskeng.exe	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
PID 1708 wrote to memory of 1504	1708	taskeng.exe	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
PID 1708 wrote to memory of 1504	1708	taskeng.exe	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
PID 1504 wrote to memory of 572	1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 1504 wrote to memory of 572	1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 1504 wrote to memory of 572	1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 1504 wrote to memory of 572	1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 1504 wrote to memory of 572	1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe
PID 1504 wrote to memory of 572	1504	b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe
"C:\Users\Admin\AppData\Local\Temp\b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {9C00456F-C101-4789-AD0D-7DAE05072A0B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
Filesize
268KB

MD5
d45995955d4daa70aca8cd90cc44b836

SHA1
f8a110db571ae02c02ea709a133c34ab16f7be44

SHA256
b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04

SHA512
53d3bd30adcb3eda4b0f6f3f38dbd6951b1bbcf7bc7cfe6ba23886687d215c529542dbcdfab44828d46b29b65b0ba45f9cce3ffe37c35fe60875648d800f0bd7

Download Submit
C:\Users\Admin\AppData\Roaming\syshealth\b20fa8e0c7082182e399b3e1e84298fdc3d780ca4bfc29a4dfc90833229ebd04.exe
Filesize
268KB

MD5
d45995955d4daa70aca8cd90cc44b836

SHA1
f8a110db571ae02c02ea709a133c34ab16f7be44

SHA256
b20fa6e0c5082182e379b3e1e84298fdc3d580ca4bfc29a4dfc90833227ebd04

SHA512
53d3bd30adcb3eda4b0f6f3f38dbd6951b1bbcf7bc7cfe6ba23886687d215c529542dbcdfab44828d46b29b65b0ba45f9cce3ffe37c35fe60875648d800f0bd7

Download Submit
memory/572-73-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/572-71-0x0000000000000000-mapping.dmp

Download
memory/572-74-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1504-70-0x0000000000451000-0x000000000047F000-memory.dmp

Filesize
184KB

Download
memory/1504-72-0x0000000000451000-0x000000000047F000-memory.dmp

Filesize
184KB

Download
memory/1504-65-0x0000000000000000-mapping.dmp

Download
memory/1660-58-0x0000000000251000-0x000000000027F000-memory.dmp

Filesize
184KB

Download
memory/1660-61-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1660-60-0x0000000000251000-0x000000000027F000-memory.dmp

Filesize
184KB

Download
memory/1660-54-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1660-56-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1660-57-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1732-59-0x0000000000000000-mapping.dmp

Download
memory/1732-63-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1732-62-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing