trickbot | 94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

General

Target

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
Size

580KB
MD5

899548beb4e249e4c4293241fb6fd4bc
SHA1

35ec596c9fccf41d961d87ad62e758cf7798131b
SHA256

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d
SHA512

9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/788-61-0x00000000004A0000-0x00000000004CD000-memory.dmp	trickbot_loader32
behavioral1/memory/788-63-0x0000000000250000-0x000000000027C000-memory.dmp	trickbot_loader32
behavioral1/memory/788-64-0x00000000004A1000-0x00000000004CC000-memory.dmp	trickbot_loader32
behavioral1/memory/788-66-0x00000000004A1000-0x00000000004CC000-memory.dmp	trickbot_loader32
behavioral1/memory/1756-75-0x00000000003B1000-0x00000000003DC000-memory.dmp	trickbot_loader32
behavioral1/memory/1756-77-0x00000000003B1000-0x00000000003DC000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

هدميملئظائراصوةلطنشدنرلعمكأا.exeهدميملئظائراصوةلطنشدنرلعمكأا.exe

pid process

788 هدميملئظائراصوةلطنشدنرلعمكأا.exe
1756 هدميملئظائراصوةلطنشدنرلعمكأا.exe

pid	process
788	هدميملئظائراصوةلطنشدنرلعمكأا.exe
1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe

Loads dropped DLL 2 IoCs

Processes:

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe

pid	process
2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1920 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1920	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exeهدميملئظائراصوةلطنشدنرلعمكأا.exeهدميملئظائراصوةلطنشدنرلعمكأا.exe

pid	process
2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
788	هدميملئظائراصوةلطنشدنرلعمكأا.exe
1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exeهدميملئظائراصوةلطنشدنرلعمكأا.exetaskeng.exeهدميملئظائراصوةلطنشدنرلعمكأا.exe

description	pid	process	target process
PID 2008 wrote to memory of 788	2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 2008 wrote to memory of 788	2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 2008 wrote to memory of 788	2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 2008 wrote to memory of 788	2008	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 788 wrote to memory of 1260	788	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 788 wrote to memory of 1260	788	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 788 wrote to memory of 1260	788	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 788 wrote to memory of 1260	788	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 788 wrote to memory of 1260	788	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 788 wrote to memory of 1260	788	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1628 wrote to memory of 1756	1628	taskeng.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1628 wrote to memory of 1756	1628	taskeng.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1628 wrote to memory of 1756	1628	taskeng.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1628 wrote to memory of 1756	1628	taskeng.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1756 wrote to memory of 1920	1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1756 wrote to memory of 1920	1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1756 wrote to memory of 1920	1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1756 wrote to memory of 1920	1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1756 wrote to memory of 1920	1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1756 wrote to memory of 1920	1756	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
"C:\Users\Admin\AppData\Local\Temp\94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
"C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1260

C:\Windows\system32\taskeng.exe
taskeng.exe {67DE4EC3-771E-4030-AF3B-6EA560A393E6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
memory/788-57-0x0000000000000000-mapping.dmp

Download
memory/788-61-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download
memory/788-63-0x0000000000250000-0x000000000027C000-memory.dmp

Filesize
176KB

Download
memory/788-64-0x00000000004A1000-0x00000000004CC000-memory.dmp

Filesize
172KB

Download
memory/788-66-0x00000000004A1000-0x00000000004CC000-memory.dmp

Filesize
172KB

Download
memory/1260-68-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1260-67-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1260-65-0x0000000000000000-mapping.dmp

Download
memory/1756-70-0x0000000000000000-mapping.dmp

Download
memory/1756-75-0x00000000003B1000-0x00000000003DC000-memory.dmp

Filesize
172KB

Download
memory/1756-77-0x00000000003B1000-0x00000000003DC000-memory.dmp

Filesize
172KB

Download
memory/1920-76-0x0000000000000000-mapping.dmp

Download
memory/1920-78-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1920-79-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2008-54-0x0000000075791000-0x0000000075793000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads