trickbot | 5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9

General

Target

5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
Size

509KB
MD5

5de0159c82fdd78e94b2565d105d3dae
SHA1

2b267c1cfde9af7d1807983f69d83cff234d0fe6
SHA256

5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9
SHA512

8100297f681243c29d5d4e33d48d8bfa64b0dbef6530f8a1b78d6120a15f04d8ccc8a034865d5c9321e5bab97098ab2673385f1de62e3fb463a548ab5dc0cd94

Score

10^/10

trickbot ser0719 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000231

Botnet

ser0719

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

103.210.30.201:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

31.29.62.112:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4476-131-0x0000000010000000-0x0000000010040000-memory.dmp	trickbot_loader32
behavioral2/memory/876-138-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral2/memory/1288-157-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

pid	process
2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

description	pid	process	target process
PID 4476 set thread context of 876	4476	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
PID 2560 set thread context of 1288	2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

pid	process
4476	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe

description	pid	process	target process
PID 4476 wrote to memory of 876	4476	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
PID 4476 wrote to memory of 876	4476	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
PID 4476 wrote to memory of 876	4476	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
PID 4476 wrote to memory of 876	4476	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
PID 876 wrote to memory of 2560	876	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 876 wrote to memory of 2560	876	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 876 wrote to memory of 2560	876	5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 2560 wrote to memory of 1288	2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 2560 wrote to memory of 1288	2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 2560 wrote to memory of 1288	2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 2560 wrote to memory of 1288	2560	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe
PID 1288 wrote to memory of 4956	1288	6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
"C:\Users\Admin\AppData\Local\Temp\5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe
"C:\Users\Admin\AppData\Local\Temp\5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1101907861-274115917-2188613224-1000\0f5007522459c86e95ffcc62f32308f1_146eccbb-68c5-4730-b193-ca9b081460a7
Filesize
1KB

MD5
72ade899abcb604d4bf378d903a925a7

SHA1
3a9db56c8331141b05d404f1571daec74850e695

SHA256
282fe1f180a0d24a52d30fe2448b32f59fcbac225373acee6b4be57fd9745b94

SHA512
2d04d4a4c49a0bdfa7b03592488fb06d4303d85366464edfc8d24ae188518d219676846560ad9e1a8cff00595d46be91db32919b395c415fb9d8e2f43f66f2db

Download Submit
C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
Filesize
509KB

MD5
5de0159c82fdd78e94b2565d105d3dae

SHA1
2b267c1cfde9af7d1807983f69d83cff234d0fe6

SHA256
5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9

SHA512
8100297f681243c29d5d4e33d48d8bfa64b0dbef6530f8a1b78d6120a15f04d8ccc8a034865d5c9321e5bab97098ab2673385f1de62e3fb463a548ab5dc0cd94

Download Submit
C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
Filesize
509KB

MD5
5de0159c82fdd78e94b2565d105d3dae

SHA1
2b267c1cfde9af7d1807983f69d83cff234d0fe6

SHA256
5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9

SHA512
8100297f681243c29d5d4e33d48d8bfa64b0dbef6530f8a1b78d6120a15f04d8ccc8a034865d5c9321e5bab97098ab2673385f1de62e3fb463a548ab5dc0cd94

Download Submit
C:\Users\Admin\AppData\Roaming\msglob\6f0f627224772093e063e834c0efee9f920c9774683bdf96bd20d4669914d4d9.exe
Filesize
509KB

MD5
5de0159c82fdd78e94b2565d105d3dae

SHA1
2b267c1cfde9af7d1807983f69d83cff234d0fe6

SHA256
5f0f526224662093e053e734c0efee8f820c8664573bdf95bd20d4558814d4d9

SHA512
8100297f681243c29d5d4e33d48d8bfa64b0dbef6530f8a1b78d6120a15f04d8ccc8a034865d5c9321e5bab97098ab2673385f1de62e3fb463a548ab5dc0cd94

Download Submit
memory/876-138-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/876-134-0x0000000000000000-mapping.dmp

Download
memory/1288-143-0x0000000000000000-mapping.dmp

Download
memory/1288-146-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1288-157-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-135-0x0000000000000000-mapping.dmp

Download
memory/4476-131-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/4956-149-0x0000000000000000-mapping.dmp

Download
memory/4956-151-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads