Overview

overview

10

Static

static

6a5c011287...ac.exe

windows7-x64

10

6a5c011287...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a5c0112870ffb39a840a1800f08b7a23c8753ff6ba152f14da6cdbde0d57cac.exe

  • Size

    748KB

  • MD5

    955a58eb796749424e76bc559da71d99

  • SHA1

    0c4c46797d0975c03b49f9f31b74d9b3e72539c7

  • SHA256

    6a5c0112870ffb39a840a1800f08b7a23c8753ff6ba152f14da6cdbde0d57cac

  • SHA512

    5d715ccb22de3a8dc283635a9285bf83273c84af62e268d79b93d28bac0aa0310067d895d7c0b53a1b2ecd1b196c342c0b80074935b5480ec7419232cb2027f0

Score
10/10
trickbotbankertrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a5c0112870ffb39a840a1800f08b7a23c8753ff6ba152f14da6cdbde0d57cac.exe
    "C:\Users\Admin\AppData\Local\Temp\6a5c0112870ffb39a840a1800f08b7a23c8753ff6ba152f14da6cdbde0d57cac.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:2004
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {360B10D4-3F45-444D-8C5E-64D4BB3CD4ED} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Roaming\taskhealth\8a7c0112890ffb39a840a1800f08b9a23c8973ff8ba172f14da8cdbde0d79cac.exe
        C:\Users\Admin\AppData\Roaming\taskhealth\8a7c0112890ffb39a840a1800f08b9a23c8973ff8ba172f14da8cdbde0d79cac.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1380

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\taskhealth\8a7c0112890ffb39a840a1800f08b9a23c8973ff8ba172f14da8cdbde0d79cac.exe
      Filesize

      748KB

      MD5

      955a58eb796749424e76bc559da71d99

      SHA1

      0c4c46797d0975c03b49f9f31b74d9b3e72539c7

      SHA256

      6a5c0112870ffb39a840a1800f08b7a23c8753ff6ba152f14da6cdbde0d57cac

      SHA512

      5d715ccb22de3a8dc283635a9285bf83273c84af62e268d79b93d28bac0aa0310067d895d7c0b53a1b2ecd1b196c342c0b80074935b5480ec7419232cb2027f0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\taskhealth\8a7c0112890ffb39a840a1800f08b9a23c8973ff8ba172f14da8cdbde0d79cac.exe
      Filesize

      748KB

      MD5

      955a58eb796749424e76bc559da71d99

      SHA1

      0c4c46797d0975c03b49f9f31b74d9b3e72539c7

      SHA256

      6a5c0112870ffb39a840a1800f08b7a23c8753ff6ba152f14da6cdbde0d57cac

      SHA512

      5d715ccb22de3a8dc283635a9285bf83273c84af62e268d79b93d28bac0aa0310067d895d7c0b53a1b2ecd1b196c342c0b80074935b5480ec7419232cb2027f0

      Download Submit
    • memory/1176-68-0x00000000001E1000-0x000000000020D000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1176-70-0x00000000001E1000-0x000000000020D000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1176-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-71-0x0000000000060000-0x0000000000080000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1380-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-72-0x0000000000060000-0x0000000000080000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1828-57-0x00000000002C1000-0x00000000002ED000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-59-0x00000000002C1000-0x00000000002ED000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-60-0x0000000010001000-0x0000000010005000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1828-54-0x0000000075871000-0x0000000075873000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-56-0x0000000000290000-0x00000000002BD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1828-55-0x00000000002C0000-0x00000000002ED000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2004-58-0x0000000000000000-mapping.dmp
      Download
    • memory/2004-62-0x0000000000060000-0x0000000000080000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2004-61-0x0000000000060000-0x0000000000080000-memory.dmp
      Filesize

      128KB

      Download