trickbot | 8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

General

Target

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
Size

628KB
MD5

21b485281c51911c061f809c80f68ea9
SHA1

4da7ec45cfff4bc2c62ec1610420a179f30f4994
SHA256

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043
SHA512

5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1164-55-0x0000000001C90000-0x0000000001CBE000-memory.dmp	trickbot_loader32
behavioral1/memory/1164-65-0x0000000001C60000-0x0000000001C8D000-memory.dmp	trickbot_loader32
behavioral1/memory/1164-66-0x0000000001C91000-0x0000000001CBD000-memory.dmp	trickbot_loader32
behavioral1/memory/872-67-0x0000000000281000-0x00000000002AD000-memory.dmp	trickbot_loader32
behavioral1/memory/896-78-0x0000000000641000-0x000000000066D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

pid	process
872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

Loads dropped DLL 2 IoCs

Processes:

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe

pid	process
1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

description pid process

Token: SeTcbPrivilege 896 8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

description	pid	process
Token: SeTcbPrivilege	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

pid	process
1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exetaskeng.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

description	pid	process	target process
PID 1164 wrote to memory of 872	1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 1164 wrote to memory of 872	1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 1164 wrote to memory of 872	1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 1164 wrote to memory of 872	1164	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 872 wrote to memory of 1948	872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 872 wrote to memory of 1948	872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 872 wrote to memory of 1948	872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 872 wrote to memory of 1948	872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 872 wrote to memory of 1948	872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 872 wrote to memory of 1948	872	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 1664 wrote to memory of 896	1664	taskeng.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 1664 wrote to memory of 896	1664	taskeng.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 1664 wrote to memory of 896	1664	taskeng.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 1664 wrote to memory of 896	1664	taskeng.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 896 wrote to memory of 112	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 896 wrote to memory of 112	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 896 wrote to memory of 112	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 896 wrote to memory of 112	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 896 wrote to memory of 112	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 896 wrote to memory of 112	896	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
"C:\Users\Admin\AppData\Local\Temp\8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1948

C:\Windows\system32\taskeng.exe
taskeng.exe {6C8B528D-ED60-4760-9C8D-6B0752CE5482} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:112

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
memory/112-81-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/112-80-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/112-77-0x0000000000000000-mapping.dmp

Download
memory/872-67-0x0000000000281000-0x00000000002AD000-memory.dmp

Filesize
176KB

Download
memory/872-68-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/872-59-0x0000000000000000-mapping.dmp

Download
memory/896-72-0x0000000000000000-mapping.dmp

Download
memory/896-79-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/896-78-0x0000000000641000-0x000000000066D000-memory.dmp

Filesize
176KB

Download
memory/1164-54-0x0000000076021000-0x0000000076023000-memory.dmp

Filesize
8KB

Download
memory/1164-55-0x0000000001C90000-0x0000000001CBE000-memory.dmp

Filesize
184KB

Download
memory/1164-66-0x0000000001C91000-0x0000000001CBD000-memory.dmp

Filesize
176KB

Download
memory/1164-65-0x0000000001C60000-0x0000000001C8D000-memory.dmp

Filesize
180KB

Download
memory/1948-70-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1948-69-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1948-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads