trickbot | 97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

General

Target

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
Size

448KB
MD5

821b90f4f3a4d56cf89660ed6dc17761
SHA1

5d165df8a4a314f6a805715c142724372cc0e1b2
SHA256

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103
SHA512

09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Score

10^/10

trickbot lib302 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000253

Botnet

lib302

C2

195.54.163.150:443

168.167.51.10:443

178.116.83.49:443

176.114.66.20:449

162.212.112.175:449

158.58.131.54:443

104.254.10.200:449

118.200.151.113:443

41.211.9.234:449

81.227.16.44:443

109.173.104.236:449

212.225.214.249:449

81.17.86.112:443

41.189.173.18:443

46.149.182.112:449

197.232.243.36:449

94.232.20.113:443

47.49.168.50:443

70.79.178.120:449

68.109.83.22:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/824-58-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/824-73-0x0000000000400000-0x0000000000471000-memory.dmp	trickbot_loader32
behavioral1/memory/824-74-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/760-89-0x0000000000400000-0x0000000000471000-memory.dmp	trickbot_loader32
behavioral1/memory/760-91-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid process

760 98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

Loads dropped DLL 2 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe

pid	process
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

520 sc.exe
560 sc.exe

pid	process
520	sc.exe
560	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exepowershell.exe

pid	process
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1696 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid	process
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid	process
824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.execmd.execmd.execmd.exe98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

description	pid	process	target process
PID 824 wrote to memory of 1116	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1116	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1116	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1116	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1304	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1304	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1304	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1304	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1064	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1064	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1064	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 1064	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	cmd.exe
PID 824 wrote to memory of 760	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 824 wrote to memory of 760	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 824 wrote to memory of 760	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 824 wrote to memory of 760	824	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 1116 wrote to memory of 520	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 520	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 520	1116	cmd.exe	sc.exe
PID 1116 wrote to memory of 520	1116	cmd.exe	sc.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 560	1304	cmd.exe	sc.exe
PID 1064 wrote to memory of 1696	1064	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1696	1064	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1696	1064	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1696	1064	cmd.exe	powershell.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 760 wrote to memory of 272	760	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
"C:\Users\Admin\AppData\Local\Temp\97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:520

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:560

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
Filesize
448KB

MD5
821b90f4f3a4d56cf89660ed6dc17761

SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2

SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Download Submit
\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
Filesize
448KB

MD5
821b90f4f3a4d56cf89660ed6dc17761

SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2

SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Download Submit
\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
Filesize
448KB

MD5
821b90f4f3a4d56cf89660ed6dc17761

SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2

SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Download Submit
memory/272-81-0x0000000000000000-mapping.dmp

Download
memory/272-83-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/520-67-0x0000000000000000-mapping.dmp

Download
memory/560-68-0x0000000000000000-mapping.dmp

Download
memory/760-78-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/760-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/760-64-0x0000000000000000-mapping.dmp

Download
memory/760-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/824-58-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/824-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/824-74-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/824-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1064-61-0x0000000000000000-mapping.dmp

Download
memory/1116-59-0x0000000000000000-mapping.dmp

Download
memory/1304-60-0x0000000000000000-mapping.dmp

Download
memory/1696-69-0x0000000000000000-mapping.dmp

Download
memory/1696-90-0x0000000073F60000-0x000000007450B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-92-0x0000000073F60000-0x000000007450B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-93-0x0000000073F60000-0x000000007450B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads