trickbot | 5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325

General

Target

5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe
Size

565KB
MD5

d61ca02b30b949fcc13e1876304a66a4
SHA1

c33de07051e054c0ddeacdbcea94a348681d9233
SHA256

5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325
SHA512

0c3e7e023c85a4cbe4c285ca8d3fd87d5a3ae65dc5cdc263e78c68956bc07af3457d20bedee31364faf1acd21044bac531106d92488f4a5ab6cc924fd8361f53

Score

10^/10

trickbot sat76 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000275

Botnet

sat76

C2

51.68.184.101:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

185.251.38.178:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1652-56-0x00000000005E0000-0x000000000061D000-memory.dmp	trickbot_loader32
behavioral1/memory/1652-69-0x00000000005E0000-0x000000000061D000-memory.dmp	trickbot_loader32
behavioral1/memory/1864-87-0x00000000004D0000-0x000000000050D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe

pid process

1864 6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe

Loads dropped DLL 2 IoCs

Processes:

5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe

pid	process
1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe
1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

580 sc.exe
1912 sc.exe

pid	process
580	sc.exe
1912	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exepowershell.exe

pid	process
1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe
1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe
1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe
472	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 472 powershell.exe

description	pid	process
Token: SeDebugPrivilege	472	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.execmd.execmd.execmd.exe6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe

description	pid	process	target process
PID 1652 wrote to memory of 1332	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1332	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1332	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1332	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1440	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1440	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1440	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 1440	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 832	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 832	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 832	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1652 wrote to memory of 832	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	cmd.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	sc.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	sc.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	sc.exe
PID 1440 wrote to memory of 580	1440	cmd.exe	sc.exe
PID 1332 wrote to memory of 1912	1332	cmd.exe	sc.exe
PID 1332 wrote to memory of 1912	1332	cmd.exe	sc.exe
PID 1332 wrote to memory of 1912	1332	cmd.exe	sc.exe
PID 1332 wrote to memory of 1912	1332	cmd.exe	sc.exe
PID 832 wrote to memory of 472	832	cmd.exe	powershell.exe
PID 832 wrote to memory of 472	832	cmd.exe	powershell.exe
PID 832 wrote to memory of 472	832	cmd.exe	powershell.exe
PID 832 wrote to memory of 472	832	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1864	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
PID 1652 wrote to memory of 1864	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
PID 1652 wrote to memory of 1864	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
PID 1652 wrote to memory of 1864	1652	5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe
PID 1864 wrote to memory of 1132	1864	6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe
"C:\Users\Admin\AppData\Local\Temp\5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1912

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:580

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Users\Admin\AppData\Roaming\AIMY\6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
C:\Users\Admin\AppData\Roaming\AIMY\6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1132

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AIMY\6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
Filesize
565KB

MD5
d61ca02b30b949fcc13e1876304a66a4

SHA1
c33de07051e054c0ddeacdbcea94a348681d9233

SHA256
5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325

SHA512
0c3e7e023c85a4cbe4c285ca8d3fd87d5a3ae65dc5cdc263e78c68956bc07af3457d20bedee31364faf1acd21044bac531106d92488f4a5ab6cc924fd8361f53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3762437355-3468409815-1164039494-1000\0f5007522459c86e95ffcc62f32308f1_327f7753-eed3-43ec-871a-c7bcf65868ec
Filesize
1KB

MD5
04b6acb689baccf1d741ce92c751ec16

SHA1
4d036e09796d2ae311e4d3dc541a216e0853cc05

SHA256
497d53aa63c17bcacf2c3ea3236583c8412b8d0224b82486eb3d0f5e3f7455cd

SHA512
924cda745ddf66d0237552763703a0f154a5deb6f89532f8e52b544854a62ff34e68634fc5c7420adaf8b99da481ce15338078357424cb44a97ae43351ca14b9

Download Submit
\Users\Admin\AppData\Roaming\AIMY\6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
Filesize
565KB

MD5
d61ca02b30b949fcc13e1876304a66a4

SHA1
c33de07051e054c0ddeacdbcea94a348681d9233

SHA256
5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325

SHA512
0c3e7e023c85a4cbe4c285ca8d3fd87d5a3ae65dc5cdc263e78c68956bc07af3457d20bedee31364faf1acd21044bac531106d92488f4a5ab6cc924fd8361f53

Download Submit
\Users\Admin\AppData\Roaming\AIMY\6ec64b2f42a93caefb38ff13b069ca892c0fba7629412498eda9493bc7941326.exe
Filesize
565KB

MD5
d61ca02b30b949fcc13e1876304a66a4

SHA1
c33de07051e054c0ddeacdbcea94a348681d9233

SHA256
5ec54b2f42a83caefb37ff13b059ca792c0fba6529412487eda9483bc6841325

SHA512
0c3e7e023c85a4cbe4c285ca8d3fd87d5a3ae65dc5cdc263e78c68956bc07af3457d20bedee31364faf1acd21044bac531106d92488f4a5ab6cc924fd8361f53

Download Submit
memory/472-62-0x0000000000000000-mapping.dmp

Download
memory/472-72-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/472-71-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/580-60-0x0000000000000000-mapping.dmp

Download
memory/832-59-0x0000000000000000-mapping.dmp

Download
memory/1132-79-0x0000000000000000-mapping.dmp

Download
memory/1132-81-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/1332-57-0x0000000000000000-mapping.dmp

Download
memory/1440-58-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1652-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1652-69-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1652-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1652-56-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1864-66-0x0000000000000000-mapping.dmp

Download
memory/1864-76-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1864-70-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1864-87-0x00000000004D0000-0x000000000050D000-memory.dmp

Filesize
244KB

Download
memory/1864-88-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1912-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads