trickbot | 5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5

General

Target

5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
Size

388KB
MD5

a09f55e86608b24cf635e60e56e6d763
SHA1

28a1cf064d988b85e09e68b1076097a8cfceb996
SHA256

5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5
SHA512

0ac795e374a1e44ede1d718a8a1791b6ac055235170f7ac931fb759619e6cd80f2aa63df07b3aa109f6def1fe6e9ad019d514f0c2068dc4e34c13b616757fa4e

Score

10^/10

trickbot lib358 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000304

Botnet

lib358

C2

188.68.208.240:443

24.247.181.155:449

174.105.235.178:449

185.80.148.162:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

216.183.62.43:449

42.115.91.177:443

137.74.151.18:443

71.94.101.25:443

206.130.141.255:449

92.38.163.39:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

213.183.63.245:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1508-56-0x0000000000390000-0x00000000003D0000-memory.dmp	trickbot_loader32
behavioral1/memory/1508-87-0x0000000000390000-0x00000000003D0000-memory.dmp	trickbot_loader32
behavioral1/memory/916-88-0x00000000002B0000-0x00000000002F0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe

pid process

916 6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe

Loads dropped DLL 2 IoCs

Processes:

5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe

pid	process
1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2020 sc.exe
2000 sc.exe

pid	process
2020	sc.exe
2000	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exepowershell.exe

pid	process
1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
1876	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1876 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1876	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe

pid	process
1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.execmd.execmd.execmd.exe6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe

description	pid	process	target process
PID 1508 wrote to memory of 1092	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1092	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1092	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1092	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1828	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1828	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1828	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1828	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1948	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1948	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1948	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1508 wrote to memory of 1948	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	cmd.exe	sc.exe
PID 1092 wrote to memory of 2020	1092	cmd.exe	sc.exe
PID 1092 wrote to memory of 2020	1092	cmd.exe	sc.exe
PID 1092 wrote to memory of 2020	1092	cmd.exe	sc.exe
PID 1828 wrote to memory of 2000	1828	cmd.exe	sc.exe
PID 1828 wrote to memory of 2000	1828	cmd.exe	sc.exe
PID 1828 wrote to memory of 2000	1828	cmd.exe	sc.exe
PID 1828 wrote to memory of 2000	1828	cmd.exe	sc.exe
PID 1948 wrote to memory of 1876	1948	cmd.exe	powershell.exe
PID 1948 wrote to memory of 1876	1948	cmd.exe	powershell.exe
PID 1948 wrote to memory of 1876	1948	cmd.exe	powershell.exe
PID 1948 wrote to memory of 1876	1948	cmd.exe	powershell.exe
PID 1508 wrote to memory of 916	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
PID 1508 wrote to memory of 916	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
PID 1508 wrote to memory of 916	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
PID 1508 wrote to memory of 916	1508	5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe
PID 916 wrote to memory of 1008	916	6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe
"C:\Users\Admin\AppData\Local\Temp\5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:2020

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:2000

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Users\Admin\AppData\Roaming\vrssit\6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
C:\Users\Admin\AppData\Roaming\vrssit\6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vrssit\6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
Filesize
388KB

MD5
a09f55e86608b24cf635e60e56e6d763

SHA1
28a1cf064d988b85e09e68b1076097a8cfceb996

SHA256
5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5

SHA512
0ac795e374a1e44ede1d718a8a1791b6ac055235170f7ac931fb759619e6cd80f2aa63df07b3aa109f6def1fe6e9ad019d514f0c2068dc4e34c13b616757fa4e

Download Submit
\Users\Admin\AppData\Roaming\vrssit\6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
Filesize
388KB

MD5
a09f55e86608b24cf635e60e56e6d763

SHA1
28a1cf064d988b85e09e68b1076097a8cfceb996

SHA256
5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5

SHA512
0ac795e374a1e44ede1d718a8a1791b6ac055235170f7ac931fb759619e6cd80f2aa63df07b3aa109f6def1fe6e9ad019d514f0c2068dc4e34c13b616757fa4e

Download Submit
\Users\Admin\AppData\Roaming\vrssit\6ed7f28ab039c0fcb2221dd19092af1eab9669428d2a4a31049381dc419d4ff6.exe
Filesize
388KB

MD5
a09f55e86608b24cf635e60e56e6d763

SHA1
28a1cf064d988b85e09e68b1076097a8cfceb996

SHA256
5ed6f27ab039c0fcb2221dd18092af1eab9558427d2a4a31048371dc419d4ff5

SHA512
0ac795e374a1e44ede1d718a8a1791b6ac055235170f7ac931fb759619e6cd80f2aa63df07b3aa109f6def1fe6e9ad019d514f0c2068dc4e34c13b616757fa4e

Download Submit
memory/916-76-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/916-67-0x0000000000000000-mapping.dmp

Download
memory/916-88-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/1008-79-0x0000000000000000-mapping.dmp

Download
memory/1008-81-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/1092-59-0x0000000000000000-mapping.dmp

Download
memory/1508-58-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1508-56-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1508-87-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1828-60-0x0000000000000000-mapping.dmp

Download
memory/1876-64-0x0000000000000000-mapping.dmp

Download
memory/1876-89-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-90-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-61-0x0000000000000000-mapping.dmp

Download
memory/2000-63-0x0000000000000000-mapping.dmp

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads