trickbot | 8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

General

Target

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
Size

588KB
MD5

8b95f7f84889c56733b28368ec8b6b0a
SHA1

a4c9874ed2a345c60fd34faa76e00e3fa54d5476
SHA256

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230
SHA512

26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3420-130-0x0000000002290000-0x00000000022BE000-memory.dmp	trickbot_loader32
behavioral2/memory/3420-135-0x0000000002260000-0x000000000228D000-memory.dmp	trickbot_loader32
behavioral2/memory/3420-136-0x0000000002291000-0x00000000022BD000-memory.dmp	trickbot_loader32
behavioral2/memory/3660-140-0x0000000002091000-0x00000000020BD000-memory.dmp	trickbot_loader32
behavioral2/memory/4180-148-0x0000000000D21000-0x0000000000D4D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

pid	process
3660	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

description pid process

Token: SeTcbPrivilege 4180 8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

description	pid	process
Token: SeTcbPrivilege	4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

pid	process
3420	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
3660	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe

description	pid	process	target process
PID 3420 wrote to memory of 3660	3420	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 3420 wrote to memory of 3660	3420	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 3420 wrote to memory of 3660	3420	8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
PID 3660 wrote to memory of 2092	3660	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 3660 wrote to memory of 2092	3660	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 3660 wrote to memory of 2092	3660	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 3660 wrote to memory of 2092	3660	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 4180 wrote to memory of 4144	4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 4180 wrote to memory of 4144	4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 4180 wrote to memory of 4144	4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe
PID 4180 wrote to memory of 4144	4180	8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe
"C:\Users\Admin\AppData\Local\Temp\8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2092

C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8ba828409f701fc28de2941188ba9440acbb8d88c2813fb91ef9aa4388f81230.exe
Filesize
588KB

MD5
8b95f7f84889c56733b28368ec8b6b0a

SHA1
a4c9874ed2a345c60fd34faa76e00e3fa54d5476

SHA256
8ba628407f501fc26de2941186ba9440acbb8d68c2813fb91ef7aa4388f61230

SHA512
26363f38b7534c43ed80562ee930e6bf2820e22933ea8ef8a1129714a5720a1a30ba84c1f8e800d761a299590d980d576948c1cef600367b652de9dde7ad95b2

Download Submit
memory/2092-142-0x000001D812550000-0x000001D812570000-memory.dmp

Filesize
128KB

Download
memory/2092-139-0x0000000000000000-mapping.dmp

Download
memory/2092-143-0x000001D812550000-0x000001D812570000-memory.dmp

Filesize
128KB

Download
memory/3420-135-0x0000000002260000-0x000000000228D000-memory.dmp

Filesize
180KB

Download
memory/3420-136-0x0000000002291000-0x00000000022BD000-memory.dmp

Filesize
176KB

Download
memory/3420-130-0x0000000002290000-0x00000000022BE000-memory.dmp

Filesize
184KB

Download
memory/3660-141-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3660-140-0x0000000002091000-0x00000000020BD000-memory.dmp

Filesize
176KB

Download
memory/3660-132-0x0000000000000000-mapping.dmp

Download
memory/4144-147-0x0000000000000000-mapping.dmp

Download
memory/4144-150-0x00000177BEAC0000-0x00000177BEAE0000-memory.dmp

Filesize
128KB

Download
memory/4144-151-0x00000177BEAC0000-0x00000177BEAE0000-memory.dmp

Filesize
128KB

Download
memory/4180-148-0x0000000000D21000-0x0000000000D4D000-memory.dmp

Filesize
176KB

Download
memory/4180-149-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads