trickbot | f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971

General

Target

f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe
Size

496KB
MD5

c66736eefb4fbdfdf30b4eac756b3a88
SHA1

3b5a68111e25eaa1eb60aaf09f4dfe6f31cf460f
SHA256

f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971
SHA512

2b512079049031c7061d767fe66f272b7b22a674b36d47a90e002c94de9dbddde545460b6add1a32a7d98b69c65571b50b56ece433219d5f2376f143b3e5b73a

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1292-57-0x0000000000620000-0x000000000064E000-memory.dmp	trickbot_loader32
behavioral1/memory/1292-60-0x0000000000620000-0x000000000064E000-memory.dmp	trickbot_loader32
behavioral1/memory/1292-68-0x0000000000620000-0x000000000064E000-memory.dmp	trickbot_loader32
behavioral1/memory/1428-72-0x00000000002E0000-0x000000000030E000-memory.dmp	trickbot_loader32
behavioral1/memory/1428-76-0x00000000002E0000-0x000000000030E000-memory.dmp	trickbot_loader32
behavioral1/memory/1992-87-0x00000000003D0000-0x00000000003FE000-memory.dmp	trickbot_loader32
behavioral1/memory/1992-91-0x00000000003D0000-0x00000000003FE000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exef04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

pid	process
1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

Loads dropped DLL 2 IoCs

Processes:

f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe

pid	process
1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe
1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

description pid process

Token: SeTcbPrivilege 1992 f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

description	pid	process
Token: SeTcbPrivilege	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exef04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exef04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

pid	process
1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe
1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe
1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exef04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exetaskeng.exef04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe

description	pid	process	target process
PID 1292 wrote to memory of 1428	1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 1292 wrote to memory of 1428	1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 1292 wrote to memory of 1428	1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 1292 wrote to memory of 1428	1292	f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 1428 wrote to memory of 2036	1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1428 wrote to memory of 2036	1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1428 wrote to memory of 2036	1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1428 wrote to memory of 2036	1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1428 wrote to memory of 2036	1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1428 wrote to memory of 2036	1428	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 904 wrote to memory of 1992	904	taskeng.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 904 wrote to memory of 1992	904	taskeng.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 904 wrote to memory of 1992	904	taskeng.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 904 wrote to memory of 1992	904	taskeng.exe	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
PID 1992 wrote to memory of 1916	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1992 wrote to memory of 1916	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1992 wrote to memory of 1916	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1992 wrote to memory of 1916	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1992 wrote to memory of 1916	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe
PID 1992 wrote to memory of 1916	1992	f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe
"C:\Users\Admin\AppData\Local\Temp\f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {59DC8C88-36FE-415F-83CC-A8B49B040E2A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1916

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
Filesize
496KB

MD5
c66736eefb4fbdfdf30b4eac756b3a88

SHA1
3b5a68111e25eaa1eb60aaf09f4dfe6f31cf460f

SHA256
f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971

SHA512
2b512079049031c7061d767fe66f272b7b22a674b36d47a90e002c94de9dbddde545460b6add1a32a7d98b69c65571b50b56ece433219d5f2376f143b3e5b73a

Download Submit
C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
Filesize
496KB

MD5
c66736eefb4fbdfdf30b4eac756b3a88

SHA1
3b5a68111e25eaa1eb60aaf09f4dfe6f31cf460f

SHA256
f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971

SHA512
2b512079049031c7061d767fe66f272b7b22a674b36d47a90e002c94de9dbddde545460b6add1a32a7d98b69c65571b50b56ece433219d5f2376f143b3e5b73a

Download Submit
C:\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
Filesize
496KB

MD5
c66736eefb4fbdfdf30b4eac756b3a88

SHA1
3b5a68111e25eaa1eb60aaf09f4dfe6f31cf460f

SHA256
f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971

SHA512
2b512079049031c7061d767fe66f272b7b22a674b36d47a90e002c94de9dbddde545460b6add1a32a7d98b69c65571b50b56ece433219d5f2376f143b3e5b73a

Download Submit
\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
Filesize
496KB

MD5
c66736eefb4fbdfdf30b4eac756b3a88

SHA1
3b5a68111e25eaa1eb60aaf09f4dfe6f31cf460f

SHA256
f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971

SHA512
2b512079049031c7061d767fe66f272b7b22a674b36d47a90e002c94de9dbddde545460b6add1a32a7d98b69c65571b50b56ece433219d5f2376f143b3e5b73a

Download Submit
\Users\Admin\AppData\Roaming\speedlink\f04bdc427f74f0034f104411898fd48278d872788899291f973c083c3d10b991.exe
Filesize
496KB

MD5
c66736eefb4fbdfdf30b4eac756b3a88

SHA1
3b5a68111e25eaa1eb60aaf09f4dfe6f31cf460f

SHA256
f04bdc425f54f0034f104411696fd46258d652588897271f953c063c3d10b971

SHA512
2b512079049031c7061d767fe66f272b7b22a674b36d47a90e002c94de9dbddde545460b6add1a32a7d98b69c65571b50b56ece433219d5f2376f143b3e5b73a

Download Submit
memory/1292-57-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/1292-59-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/1292-60-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/1292-68-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/1428-74-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1428-63-0x0000000000000000-mapping.dmp

Download
memory/1428-76-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1428-72-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1916-92-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1916-90-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1916-88-0x0000000000000000-mapping.dmp

Download
memory/1992-89-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1992-87-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1992-79-0x0000000000000000-mapping.dmp

Download
memory/1992-91-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2036-73-0x0000000000000000-mapping.dmp

Download
memory/2036-77-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2036-75-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads