trickbot | e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

General

Target

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
Size

500KB
MD5

befa5f863f0135a4c707840bca4a00d8
SHA1

59638e244df8b59916d1c16c94eae8ee8f2814b5
SHA256

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2
SHA512

7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4644-133-0x0000000002190000-0x00000000021BE000-memory.dmp	trickbot_loader32
behavioral2/memory/4644-142-0x0000000002160000-0x000000000218D000-memory.dmp	trickbot_loader32
behavioral2/memory/1720-144-0x00000000029F1000-0x0000000002A1D000-memory.dmp	trickbot_loader32
behavioral2/memory/4644-143-0x0000000002191000-0x00000000021BD000-memory.dmp	trickbot_loader32
behavioral2/memory/748-150-0x00000000015D1000-0x00000000015FD000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

àâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

pid process

4644 àâûñ÷âöóûâïï.exe
1720 àâûñ÷âöóûâïï.exe
748 àâûñ÷âöóûâïï.exe

pid	process
4644	àâûñ÷âöóûâïï.exe
1720	àâûñ÷âöóûâïï.exe
748	àâûñ÷âöóûâïï.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

àâûñ÷âöóûâïï.exe

description pid process

Token: SeTcbPrivilege 748 àâûñ÷âöóûâïï.exe

description	pid	process
Token: SeTcbPrivilege	748	àâûñ÷âöóûâïï.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

pid	process
4908	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
4908	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
4644	àâûñ÷âöóûâïï.exe
4644	àâûñ÷âöóûâïï.exe
1720	àâûñ÷âöóûâïï.exe
1720	àâûñ÷âöóûâïï.exe
748	àâûñ÷âöóûâïï.exe
748	àâûñ÷âöóûâïï.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exeàâûñ÷âöóûâïï.exe

description	pid	process	target process
PID 4908 wrote to memory of 4644	4908	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 4908 wrote to memory of 4644	4908	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 4908 wrote to memory of 4644	4908	e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe	àâûñ÷âöóûâïï.exe
PID 4644 wrote to memory of 1720	4644	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 4644 wrote to memory of 1720	4644	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 4644 wrote to memory of 1720	4644	àâûñ÷âöóûâïï.exe	àâûñ÷âöóûâïï.exe
PID 1720 wrote to memory of 4144	1720	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1720 wrote to memory of 4144	1720	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1720 wrote to memory of 4144	1720	àâûñ÷âöóûâïï.exe	svchost.exe
PID 1720 wrote to memory of 4144	1720	àâûñ÷âöóûâïï.exe	svchost.exe
PID 748 wrote to memory of 3940	748	àâûñ÷âöóûâïï.exe	svchost.exe
PID 748 wrote to memory of 3940	748	àâûñ÷âöóûâïï.exe	svchost.exe
PID 748 wrote to memory of 3940	748	àâûñ÷âöóûâïï.exe	svchost.exe
PID 748 wrote to memory of 3940	748	àâûñ÷âöóûâïï.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe
"C:\Users\Admin\AppData\Local\Temp\e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\ProgramData\àâûñ÷âöóûâïï.exe
"C:\ProgramData\àâûñ÷âöóûâïï.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:4144

C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\ProgramData\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\àâûñ÷âöóûâïï.exe
Filesize
500KB

MD5
befa5f863f0135a4c707840bca4a00d8

SHA1
59638e244df8b59916d1c16c94eae8ee8f2814b5

SHA256
e1e8f2d69fe48bf6b52d75beb78cb36675b261b44b12682c860ce61176dfaaf2

SHA512
7c4c59ebf90234ac018ba51c5a9a1d3804a5701388d87f04c4ccaf54be3fb0b88920ed7b8ee4f875704724363be3c762834bb529c0ea30c3b88930f1411b4154

Download Submit
memory/748-151-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/748-150-0x00000000015D1000-0x00000000015FD000-memory.dmp

Filesize
176KB

Download
memory/1720-145-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1720-144-0x00000000029F1000-0x0000000002A1D000-memory.dmp

Filesize
176KB

Download
memory/1720-135-0x0000000000000000-mapping.dmp

Download
memory/3940-149-0x0000000000000000-mapping.dmp

Download
memory/3940-152-0x0000024D148E0000-0x0000024D14900000-memory.dmp

Filesize
128KB

Download
memory/3940-153-0x0000024D148E0000-0x0000024D14900000-memory.dmp

Filesize
128KB

Download
memory/4144-141-0x0000022A00D30000-0x0000022A00D50000-memory.dmp

Filesize
128KB

Download
memory/4144-140-0x0000000000000000-mapping.dmp

Download
memory/4644-142-0x0000000002160000-0x000000000218D000-memory.dmp

Filesize
180KB

Download
memory/4644-143-0x0000000002191000-0x00000000021BD000-memory.dmp

Filesize
176KB

Download
memory/4644-130-0x0000000000000000-mapping.dmp

Download
memory/4644-133-0x0000000002190000-0x00000000021BE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads