trickbot | 5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149

General

Target

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
Size

508KB
MD5

016141489862022439b63abc649186e6
SHA1

cb7d8c2bee9d9271835c77b90b4be02680c5889f
SHA256

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149
SHA512

0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

Score

10^/10

trickbot tot372 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000316

Botnet

tot372

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1156-72-0x0000000002CB0000-0x0000000002CF0000-memory.dmp	trickbot_loader32
behavioral1/memory/1756-109-0x0000000002CA0000-0x0000000002CE0000-memory.dmp	trickbot_loader32
behavioral1/memory/1756-122-0x0000000002CA0000-0x0000000002CE0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe

pid process

1756 6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe

Loads dropped DLL 2 IoCs

Processes:

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe

pid	process
1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1660 sc.exe
1736 sc.exe

pid	process
1660	sc.exe
1736	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exepowershell.exe

pid	process
1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
1128	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1128 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1128	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe

pid	process
1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.execmd.execmd.execmd.exe6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe

description	pid	process	target process
PID 1156 wrote to memory of 2036	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 2036	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 2036	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 2036	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1060	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1060	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1060	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1060	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1976	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1976	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1976	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1976	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	cmd.exe
PID 1156 wrote to memory of 1756	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
PID 1156 wrote to memory of 1756	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
PID 1156 wrote to memory of 1756	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
PID 1156 wrote to memory of 1756	1156	5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
PID 2036 wrote to memory of 1660	2036	cmd.exe	sc.exe
PID 2036 wrote to memory of 1660	2036	cmd.exe	sc.exe
PID 2036 wrote to memory of 1660	2036	cmd.exe	sc.exe
PID 2036 wrote to memory of 1660	2036	cmd.exe	sc.exe
PID 1060 wrote to memory of 1736	1060	cmd.exe	sc.exe
PID 1060 wrote to memory of 1736	1060	cmd.exe	sc.exe
PID 1060 wrote to memory of 1736	1060	cmd.exe	sc.exe
PID 1060 wrote to memory of 1736	1060	cmd.exe	sc.exe
PID 1976 wrote to memory of 1128	1976	cmd.exe	powershell.exe
PID 1976 wrote to memory of 1128	1976	cmd.exe	powershell.exe
PID 1976 wrote to memory of 1128	1976	cmd.exe	powershell.exe
PID 1976 wrote to memory of 1128	1976	cmd.exe	powershell.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe
PID 1756 wrote to memory of 1480	1756	6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe
"C:\Users\Admin\AppData\Local\Temp\5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1660

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:1736

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Users\Admin\AppData\Roaming\WinDefrag\6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
C:\Users\Admin\AppData\Roaming\WinDefrag\6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinDefrag\6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
Filesize
508KB

MD5
016141489862022439b63abc649186e6

SHA1
cb7d8c2bee9d9271835c77b90b4be02680c5889f

SHA256
5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149

SHA512
0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

Download Submit
\Users\Admin\AppData\Roaming\WinDefrag\6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
Filesize
508KB

MD5
016141489862022439b63abc649186e6

SHA1
cb7d8c2bee9d9271835c77b90b4be02680c5889f

SHA256
5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149

SHA512
0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

Download Submit
\Users\Admin\AppData\Roaming\WinDefrag\6a739b0b0a139294017799277e026cd00a34933af8c21e13af9ca39fe881c149.exe
Filesize
508KB

MD5
016141489862022439b63abc649186e6

SHA1
cb7d8c2bee9d9271835c77b90b4be02680c5889f

SHA256
5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149

SHA512
0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

Download Submit
memory/1060-77-0x0000000000000000-mapping.dmp

Download
memory/1128-107-0x0000000073B10000-0x00000000740BB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-87-0x0000000000000000-mapping.dmp

Download
memory/1156-68-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-74-0x0000000002CA0000-0x0000000002DB0000-memory.dmp

Filesize
1.1MB

Download
memory/1156-64-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-65-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-66-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-67-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-56-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-70-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-69-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-72-0x0000000002CB0000-0x0000000002CF0000-memory.dmp

Filesize
256KB

Download
memory/1156-73-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1156-62-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-75-0x0000000002CA0000-0x0000000002DB0000-memory.dmp

Filesize
1.1MB

Download
memory/1156-59-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-63-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-58-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-57-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-61-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1156-60-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1480-114-0x0000000000000000-mapping.dmp

Download
memory/1480-116-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/1660-83-0x0000000000000000-mapping.dmp

Download
memory/1736-84-0x0000000000000000-mapping.dmp

Download
memory/1756-99-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-90-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-98-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-96-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-97-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-100-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-103-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-102-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-101-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-93-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-92-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-94-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-91-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-95-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-81-0x0000000000000000-mapping.dmp

Download
memory/1756-108-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/1756-109-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/1756-111-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1756-122-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

Filesize
256KB

Download
memory/1976-78-0x0000000000000000-mapping.dmp

Download
memory/2036-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads