trickbot | 8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

General

Target

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
Size

628KB
MD5

21b485281c51911c061f809c80f68ea9
SHA1

4da7ec45cfff4bc2c62ec1610420a179f30f4994
SHA256

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043
SHA512

5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/540-130-0x0000000002440000-0x000000000246E000-memory.dmp	trickbot_loader32
behavioral2/memory/540-138-0x00000000023F0000-0x000000000241D000-memory.dmp	trickbot_loader32
behavioral2/memory/540-139-0x0000000002441000-0x000000000246D000-memory.dmp	trickbot_loader32
behavioral2/memory/4640-140-0x0000000000A21000-0x0000000000A4D000-memory.dmp	trickbot_loader32
behavioral2/memory/668-148-0x0000000000E81000-0x0000000000EAD000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

pid	process
4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

description pid process

Token: SeTcbPrivilege 668 8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

description	pid	process
Token: SeTcbPrivilege	668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

pid	process
540	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
540	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe

description	pid	process	target process
PID 540 wrote to memory of 4640	540	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 540 wrote to memory of 4640	540	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 540 wrote to memory of 4640	540	8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
PID 4640 wrote to memory of 956	4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 4640 wrote to memory of 956	4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 4640 wrote to memory of 956	4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 4640 wrote to memory of 956	4640	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 668 wrote to memory of 4840	668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 668 wrote to memory of 4840	668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 668 wrote to memory of 4840	668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe
PID 668 wrote to memory of 4840	668	8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe
"C:\Users\Admin\AppData\Local\Temp\8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:956

C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
C:\Users\Admin\AppData\Roaming\sysdefragler\8c100c78223478b9ca901a9b8f09349a994c3e7fc78a82af897ec1acb202b043.exe
Filesize
628KB

MD5
21b485281c51911c061f809c80f68ea9

SHA1
4da7ec45cfff4bc2c62ec1610420a179f30f4994

SHA256
8c100c58223458b7ca901a7b8f09349a774c3e5fc58a62af875ec1acb202b043

SHA512
5a5066d8c50b68903e49c9b4a722dab419a2e3a7cf534bd912c620c707abac86154ef87c3b906542c48323076912a95b0e135809fdcc6edc968216bdef6808b3

Download Submit
memory/540-138-0x00000000023F0000-0x000000000241D000-memory.dmp

Filesize
180KB

Download
memory/540-139-0x0000000002441000-0x000000000246D000-memory.dmp

Filesize
176KB

Download
memory/540-130-0x0000000002440000-0x000000000246E000-memory.dmp

Filesize
184KB

Download
memory/668-149-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/668-148-0x0000000000E81000-0x0000000000EAD000-memory.dmp

Filesize
176KB

Download
memory/956-137-0x0000000000000000-mapping.dmp

Download
memory/956-142-0x000001C4E5540000-0x000001C4E5560000-memory.dmp

Filesize
128KB

Download
memory/956-143-0x000001C4E5540000-0x000001C4E5560000-memory.dmp

Filesize
128KB

Download
memory/4640-141-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4640-140-0x0000000000A21000-0x0000000000A4D000-memory.dmp

Filesize
176KB

Download
memory/4640-132-0x0000000000000000-mapping.dmp

Download
memory/4840-147-0x0000000000000000-mapping.dmp

Download
memory/4840-150-0x0000016B64350000-0x0000016B64370000-memory.dmp

Filesize
128KB

Download
memory/4840-151-0x0000016B64350000-0x0000016B64370000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads