trickbot | 97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

General

Target

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
Size

448KB
MD5

821b90f4f3a4d56cf89660ed6dc17761
SHA1

5d165df8a4a314f6a805715c142724372cc0e1b2
SHA256

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103
SHA512

09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Score

10^/10

trickbot lib302 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000253

Botnet

lib302

C2

195.54.163.150:443

168.167.51.10:443

178.116.83.49:443

176.114.66.20:449

162.212.112.175:449

158.58.131.54:443

104.254.10.200:449

118.200.151.113:443

41.211.9.234:449

81.227.16.44:443

109.173.104.236:449

212.225.214.249:449

81.17.86.112:443

41.189.173.18:443

46.149.182.112:449

197.232.243.36:449

94.232.20.113:443

47.49.168.50:443

70.79.178.120:449

68.109.83.22:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4744-133-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/4744-139-0x0000000000400000-0x0000000000471000-memory.dmp	trickbot_loader32
behavioral2/memory/4744-140-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/4364-155-0x0000000000400000-0x0000000000471000-memory.dmp	trickbot_loader32
behavioral2/memory/4364-156-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid process

4364 98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid	process
4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vsneto\\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe"	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
34 api.ipify.org

flow	ioc
33	api.ipify.org
34	api.ipify.org

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid	process
4744	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

pid	process
4744	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe

description	pid	process	target process
PID 4744 wrote to memory of 4364	4744	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 4744 wrote to memory of 4364	4744	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 4744 wrote to memory of 4364	4744	97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe
PID 4364 wrote to memory of 1284	4364	98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
"C:\Users\Admin\AppData\Local\Temp\97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
Filesize
448KB

MD5
821b90f4f3a4d56cf89660ed6dc17761

SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2

SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Download Submit
C:\Users\Admin\AppData\Roaming\vsneto\98b0b69dc0de6e03de64dc930399f3f92e21209ddcb1f88ea083b2176f769103.exe
Filesize
448KB

MD5
821b90f4f3a4d56cf89660ed6dc17761

SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2

SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103

SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7

Download Submit
memory/1284-147-0x0000000000000000-mapping.dmp

Download
memory/1284-149-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/4364-134-0x0000000000000000-mapping.dmp

Download
memory/4364-144-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4364-155-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4364-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-139-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4744-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads