trickbot | 94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

General

Target

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
Size

580KB
MD5

899548beb4e249e4c4293241fb6fd4bc
SHA1

35ec596c9fccf41d961d87ad62e758cf7798131b
SHA256

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d
SHA512

9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1980-133-0x00000000022B0000-0x00000000022DD000-memory.dmp	trickbot_loader32
behavioral2/memory/1980-135-0x0000000002280000-0x00000000022AC000-memory.dmp	trickbot_loader32
behavioral2/memory/1980-136-0x00000000022B1000-0x00000000022DC000-memory.dmp	trickbot_loader32
behavioral2/memory/1980-137-0x00000000022B1000-0x00000000022DC000-memory.dmp	trickbot_loader32
behavioral2/memory/1980-139-0x00000000022B1000-0x00000000022DC000-memory.dmp	trickbot_loader32
behavioral2/memory/2792-147-0x0000000000EE1000-0x0000000000F0C000-memory.dmp	trickbot_loader32
behavioral2/memory/2792-149-0x0000000000EE1000-0x0000000000F0C000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

هدميملئظائراصوةلطنشدنرلعمكأا.exeهدميملئظائراصوةلطنشدنرلعمكأا.exe

pid process

1980 هدميملئظائراصوةلطنشدنرلعمكأا.exe
2792 هدميملئظائراصوةلطنشدنرلعمكأا.exe

pid	process
1980	هدميملئظائراصوةلطنشدنرلعمكأا.exe
2792	هدميملئظائراصوةلطنشدنرلعمكأا.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1468 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1468	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exeهدميملئظائراصوةلطنشدنرلعمكأا.exeهدميملئظائراصوةلطنشدنرلعمكأا.exe

pid	process
1716	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
1980	هدميملئظائراصوةلطنشدنرلعمكأا.exe
2792	هدميملئظائراصوةلطنشدنرلعمكأا.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exeهدميملئظائراصوةلطنشدنرلعمكأا.exeهدميملئظائراصوةلطنشدنرلعمكأا.exe

description	pid	process	target process
PID 1716 wrote to memory of 1980	1716	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1716 wrote to memory of 1980	1716	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1716 wrote to memory of 1980	1716	94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe	هدميملئظائراصوةلطنشدنرلعمكأا.exe
PID 1980 wrote to memory of 4528	1980	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1980 wrote to memory of 4528	1980	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1980 wrote to memory of 4528	1980	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 1980 wrote to memory of 4528	1980	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 2792 wrote to memory of 1468	2792	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 2792 wrote to memory of 1468	2792	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 2792 wrote to memory of 1468	2792	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe
PID 2792 wrote to memory of 1468	2792	هدميملئظائراصوةلطنشدنرلعمكأا.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe
"C:\Users\Admin\AppData\Local\Temp\94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
"C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4528

C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
C:\ProgramData\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
C:\Users\Admin\AppData\Roaming\netcloud\هدميملئظائراصوةلطنشدنرلعمكأا.exe
Filesize
580KB

MD5
899548beb4e249e4c4293241fb6fd4bc

SHA1
35ec596c9fccf41d961d87ad62e758cf7798131b

SHA256
94804e1d517646d18a96c39bfa216bedcf6feb430875ce7ae7a5336a530e396d

SHA512
9e92478f32d848aabe07b1f73e1d13b4b8770bac309fb4fd30d65b5e0b1437b290639e56d4c1362ddd9d6e5276bcd692d7379d9337d32a6e64cf78b20db42932

Download Submit
memory/1468-150-0x0000023D32890000-0x0000023D328AE000-memory.dmp

Filesize
120KB

Download
memory/1468-148-0x0000000000000000-mapping.dmp

Download
memory/1980-135-0x0000000002280000-0x00000000022AC000-memory.dmp

Filesize
176KB

Download
memory/1980-139-0x00000000022B1000-0x00000000022DC000-memory.dmp

Filesize
172KB

Download
memory/1980-137-0x00000000022B1000-0x00000000022DC000-memory.dmp

Filesize
172KB

Download
memory/1980-136-0x00000000022B1000-0x00000000022DC000-memory.dmp

Filesize
172KB

Download
memory/1980-130-0x0000000000000000-mapping.dmp

Download
memory/1980-133-0x00000000022B0000-0x00000000022DD000-memory.dmp

Filesize
180KB

Download
memory/2792-146-0x00000000007C0000-0x000000000083A000-memory.dmp

Filesize
488KB

Download
memory/2792-147-0x0000000000EE1000-0x0000000000F0C000-memory.dmp

Filesize
172KB

Download
memory/2792-149-0x0000000000EE1000-0x0000000000F0C000-memory.dmp

Filesize
172KB

Download
memory/4528-138-0x0000000000000000-mapping.dmp

Download
memory/4528-140-0x00000263B7080000-0x00000263B709E000-memory.dmp

Filesize
120KB

Download
memory/4528-141-0x00000263B7080000-0x00000263B709E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads