trickbot | 8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

General

Target

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
Size

588KB
MD5

8b95f7f84889c56733b28368ec8b6b0a
SHA1

a4c9874ed2a345c60fd34faa76e00e3fa54d5476
SHA256

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230
SHA512

26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1064-55-0x0000000001C60000-0x0000000001C8E000-memory.dmp	trickbot_loader32
behavioral1/memory/1064-58-0x0000000001C61000-0x0000000001C8D000-memory.dmp	trickbot_loader32
behavioral1/memory/1064-57-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32
behavioral1/memory/1736-66-0x0000000000331000-0x000000000035D000-memory.dmp	trickbot_loader32
behavioral1/memory/1064-68-0x0000000001C61000-0x0000000001C8D000-memory.dmp	trickbot_loader32
behavioral1/memory/1736-71-0x0000000000331000-0x000000000035D000-memory.dmp	trickbot_loader32
behavioral1/memory/1712-80-0x0000000000281000-0x00000000002AD000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

pid	process
1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

Loads dropped DLL 2 IoCs

Processes:

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe

pid	process
1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

description pid process

Token: SeTcbPrivilege 1712 8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

description	pid	process
Token: SeTcbPrivilege	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

pid	process
1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exetaskeng.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

description	pid	process	target process
PID 1064 wrote to memory of 1736	1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 1064 wrote to memory of 1736	1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 1064 wrote to memory of 1736	1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 1064 wrote to memory of 1736	1064	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 1736 wrote to memory of 2036	1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1736 wrote to memory of 2036	1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1736 wrote to memory of 2036	1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1736 wrote to memory of 2036	1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1736 wrote to memory of 2036	1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1736 wrote to memory of 2036	1736	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 564 wrote to memory of 1712	564	taskeng.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 564 wrote to memory of 1712	564	taskeng.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 564 wrote to memory of 1712	564	taskeng.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 564 wrote to memory of 1712	564	taskeng.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 1712 wrote to memory of 532	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1712 wrote to memory of 532	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1712 wrote to memory of 532	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1712 wrote to memory of 532	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1712 wrote to memory of 532	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 1712 wrote to memory of 532	1712	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
"C:\Users\Admin\AppData\Local\Temp\8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {017C744F-2C54-4C77-9336-904968EA6574} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:532

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
memory/532-83-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/532-82-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/532-79-0x0000000000000000-mapping.dmp

Download
memory/1064-55-0x0000000001C60000-0x0000000001C8E000-memory.dmp

Filesize
184KB

Download
memory/1064-57-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/1064-68-0x0000000001C61000-0x0000000001C8D000-memory.dmp

Filesize
176KB

Download
memory/1064-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1064-58-0x0000000001C61000-0x0000000001C8D000-memory.dmp

Filesize
176KB

Download
memory/1712-81-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1712-80-0x0000000000281000-0x00000000002AD000-memory.dmp

Filesize
176KB

Download
memory/1712-74-0x0000000000000000-mapping.dmp

Download
memory/1736-71-0x0000000000331000-0x000000000035D000-memory.dmp

Filesize
176KB

Download
memory/1736-69-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1736-66-0x0000000000331000-0x000000000035D000-memory.dmp

Filesize
176KB

Download
memory/1736-61-0x0000000000000000-mapping.dmp

Download
memory/2036-72-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2036-70-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2036-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads