trickbot | cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

General

Target

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
Size

274KB
MD5

2d9a2aac9084a566348e4a8444d6345b
SHA1

d0dd7bc90451c152df1eb2267d0230bf31033cb8
SHA256

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17
SHA512

7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/5092-132-0x00000000001D0000-0x00000000001F9000-memory.dmp	trickbot_loader32
behavioral2/memory/5092-137-0x00000000001D0000-0x00000000001F9000-memory.dmp	trickbot_loader32
behavioral2/memory/4896-148-0x00000000001A0000-0x00000000001C9000-memory.dmp	trickbot_loader32
behavioral2/memory/1844-160-0x0000000000780000-0x00000000007A9000-memory.dmp	trickbot_loader32
behavioral2/memory/4396-173-0x0000000000920000-0x0000000000949000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

Processes:

cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

pid	process
4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

Drops file in System32 directory 2 IoCs

Processes:

cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\HJCVSQW.Cons	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
File opened for modification	C:\Windows\SysWOW64\HJCVSQW.Cons	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

description	pid	process
Token: SeTcbPrivilege	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Token: SeTcbPrivilege	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.execfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe

description	pid	process	target process
PID 5092 wrote to memory of 4896	5092	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 5092 wrote to memory of 4896	5092	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 5092 wrote to memory of 4896	5092	cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4896 wrote to memory of 400	4896	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 1844 wrote to memory of 1760	1844	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe
PID 4396 wrote to memory of 3508	4396	cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe
"C:\Users\Admin\AppData\Local\Temp\cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:400

C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1760

C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a020844361f803a0b2574981e4161001_bfe458be-6a47-4012-a9d0-2c4333e0df83
Filesize
1KB

MD5
787148a5dc4eb735b7d0113c8608eada

SHA1
1e993174aa6c42c82dc7d9868a4c4845e7952bb2

SHA256
fd149923282fc715719cdfe0549a7cfe85b34c240a9558dc76034b1538579233

SHA512
853f8d0411560d05dbb027174f20009d04069343d5621ae532a31152f090b7d2880211ffa103a3b1bc9b5791472ec113507459e287d5fb9b43545aef837a9bbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3463845317-933582289-45817732-1000\0f5007522459c86e95ffcc62f32308f1_bfe458be-6a47-4012-a9d0-2c4333e0df83
Filesize
1KB

MD5
5543b7adb9d37eb608a9170ba26047b1

SHA1
5cafee72e7f1359706a0d7d7c98345eb0e210ca4

SHA256
3915b72417fccc0cac6849d1a1bcac1266ccf7b790ef8da5449978209547f603

SHA512
2e3a9f4d3f660f706691832ab6f2cb0ce6018bca2d86f0c0bedd081a3a93cf150cad374c9ab4725572519a16c728c39ccb00fc24e9f71e5c96ce87e9209c2c95

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\cfba11af9aae18a08edcc3e307dc11b9a9b6143b1d2bf276674d0219fcab9d18.exe
Filesize
274KB

MD5
2d9a2aac9084a566348e4a8444d6345b

SHA1
d0dd7bc90451c152df1eb2267d0230bf31033cb8

SHA256
cfba11af8aae17a07edcc3e306dc11b9a9b5143b1d2bf265564d0219fcab9d17

SHA512
7ee637d6a42a97d1e88b02d7164e60ce0d2db55db2874821cfe5e61331cf1ab9a3b7113ce949c6bdc436b8273e450ab5ae97f914350e0f59b1baea0d3711f6b5

Download Submit
memory/400-144-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/400-142-0x0000000000000000-mapping.dmp

Download
memory/1760-154-0x0000000000000000-mapping.dmp

Download
memory/1844-160-0x0000000000780000-0x00000000007A9000-memory.dmp

Filesize
164KB

Download
memory/3508-167-0x0000000000000000-mapping.dmp

Download
memory/4396-173-0x0000000000920000-0x0000000000949000-memory.dmp

Filesize
164KB

Download
memory/4896-148-0x00000000001A0000-0x00000000001C9000-memory.dmp

Filesize
164KB

Download
memory/4896-139-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4896-133-0x0000000000000000-mapping.dmp

Download
memory/5092-132-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/5092-137-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads