trickbot | e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

General

Target

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe
Size

350KB
MD5

02441573d362188574bb84b67032b83f
SHA1

1a00c86f95c432810a173bbb4cb5e241282b0609
SHA256

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee
SHA512

8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2012-61-0x00000000003D0000-0x0000000000400000-memory.dmp	trickbot_loader32
behavioral1/memory/2012-63-0x00000000003A0000-0x00000000003CE000-memory.dmp	trickbot_loader32
behavioral1/memory/2012-64-0x00000000003D1000-0x00000000003FF000-memory.dmp	trickbot_loader32
behavioral1/memory/2012-66-0x00000000003D1000-0x00000000003FF000-memory.dmp	trickbot_loader32
behavioral1/memory/1796-75-0x00000000003B1000-0x00000000003DF000-memory.dmp	trickbot_loader32
behavioral1/memory/1796-77-0x00000000003B1000-0x00000000003DF000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

ÑÑ‡Ð².exeÑÑ‡Ð².exe

pid process

2012 ÑÑ‡Ð².exe
1796 ÑÑ‡Ð².exe

pid	process
2012	ÑÑ‡Ð².exe
1796	ÑÑ‡Ð².exe

Loads dropped DLL 2 IoCs

Processes:

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe

pid	process
1772	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe
1772	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 592 svchost.exe

description	pid	process
Token: SeTcbPrivilege	592	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exeÑÑ‡Ð².exetaskeng.exeÑÑ‡Ð².exe

description	pid	process	target process
PID 1772 wrote to memory of 2012	1772	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 1772 wrote to memory of 2012	1772	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 1772 wrote to memory of 2012	1772	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 1772 wrote to memory of 2012	1772	e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe	ÑÑ‡Ð².exe
PID 2012 wrote to memory of 1968	2012	ÑÑ‡Ð².exe	svchost.exe
PID 2012 wrote to memory of 1968	2012	ÑÑ‡Ð².exe	svchost.exe
PID 2012 wrote to memory of 1968	2012	ÑÑ‡Ð².exe	svchost.exe
PID 2012 wrote to memory of 1968	2012	ÑÑ‡Ð².exe	svchost.exe
PID 2012 wrote to memory of 1968	2012	ÑÑ‡Ð².exe	svchost.exe
PID 2012 wrote to memory of 1968	2012	ÑÑ‡Ð².exe	svchost.exe
PID 1804 wrote to memory of 1796	1804	taskeng.exe	ÑÑ‡Ð².exe
PID 1804 wrote to memory of 1796	1804	taskeng.exe	ÑÑ‡Ð².exe
PID 1804 wrote to memory of 1796	1804	taskeng.exe	ÑÑ‡Ð².exe
PID 1804 wrote to memory of 1796	1804	taskeng.exe	ÑÑ‡Ð².exe
PID 1796 wrote to memory of 592	1796	ÑÑ‡Ð².exe	svchost.exe
PID 1796 wrote to memory of 592	1796	ÑÑ‡Ð².exe	svchost.exe
PID 1796 wrote to memory of 592	1796	ÑÑ‡Ð².exe	svchost.exe
PID 1796 wrote to memory of 592	1796	ÑÑ‡Ð².exe	svchost.exe
PID 1796 wrote to memory of 592	1796	ÑÑ‡Ð².exe	svchost.exe
PID 1796 wrote to memory of 592	1796	ÑÑ‡Ð².exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe
"C:\Users\Admin\AppData\Local\Temp\e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\ProgramData\ÑÑ‡Ð².exe
"C:\ProgramData\ÑÑ‡Ð².exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1968

C:\Windows\system32\taskeng.exe
taskeng.exe {BAC4FE6E-2984-45D1-A8D9-910436729373} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
C:\ProgramData\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
C:\Users\Admin\AppData\Roaming\cmdcache\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
\ProgramData\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
\ProgramData\ÑÑ‡Ð².exe
Filesize
350KB

MD5
02441573d362188574bb84b67032b83f

SHA1
1a00c86f95c432810a173bbb4cb5e241282b0609

SHA256
e053947a18a68631a4ef994942164414a319641bfb01185d6f55b317cbb128ee

SHA512
8e2a397f89fde598a2b9afd7f0432dbd241179471e76240f6d37399f0e5bc7b812c0379b685493ec8c7cd669cc803af69136ce53da4e9374d9257abd2a613556

Download Submit
memory/592-80-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/592-79-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/592-76-0x0000000000000000-mapping.dmp

Download
memory/1772-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1796-70-0x0000000000000000-mapping.dmp

Download
memory/1796-75-0x00000000003B1000-0x00000000003DF000-memory.dmp

Filesize
184KB

Download
memory/1796-77-0x00000000003B1000-0x00000000003DF000-memory.dmp

Filesize
184KB

Download
memory/1796-78-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1968-67-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1968-68-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1968-65-0x0000000000000000-mapping.dmp

Download
memory/2012-66-0x00000000003D1000-0x00000000003FF000-memory.dmp

Filesize
184KB

Download
memory/2012-64-0x00000000003D1000-0x00000000003FF000-memory.dmp

Filesize
184KB

Download
memory/2012-63-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/2012-61-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads