trickbot | 5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1

General

Target

5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe
Size

357KB
MD5

20cfd69939e88b9a5f68dcbc29805891
SHA1

ecb58bf18d88c9a3afa8c88834205b3ab8d16f83
SHA256

5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1
SHA512

c5b6e33ab30647429342984431322827f4809a314123a48155c022a28e5d9a0cc49b85cc0df3d7d31baab88a5a4c052621e5c0d2f6ddce14a5ae0b9070a6bb7f

Score

10^/10

trickbot sat4 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000311

Botnet

sat4

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

109.234.38.220:443

24.247.182.29:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1220-55-0x0000000000360000-0x00000000003A0000-memory.dmp	trickbot_loader32
behavioral1/memory/1220-67-0x0000000000360000-0x00000000003A0000-memory.dmp	trickbot_loader32
behavioral1/memory/1684-83-0x00000000003A0000-0x00000000003E0000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe

pid process

1684 6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe

Loads dropped DLL 2 IoCs

Processes:

5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe

pid	process
1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe
1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1556 sc.exe
1604 sc.exe

pid	process
1556	sc.exe
1604	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exepowershell.exe

pid	process
1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe
1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe
1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe
1708	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1708 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1708	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.execmd.execmd.execmd.exe6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe

description	pid	process	target process
PID 1220 wrote to memory of 2036	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 2036	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 2036	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 2036	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 1484	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 1484	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 1484	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 1484	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 944	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 944	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 944	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 944	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	cmd.exe
PID 1220 wrote to memory of 1684	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
PID 1220 wrote to memory of 1684	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
PID 1220 wrote to memory of 1684	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
PID 1220 wrote to memory of 1684	1220	5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
PID 1484 wrote to memory of 1604	1484	cmd.exe	sc.exe
PID 1484 wrote to memory of 1604	1484	cmd.exe	sc.exe
PID 1484 wrote to memory of 1604	1484	cmd.exe	sc.exe
PID 1484 wrote to memory of 1604	1484	cmd.exe	sc.exe
PID 2036 wrote to memory of 1556	2036	cmd.exe	sc.exe
PID 2036 wrote to memory of 1556	2036	cmd.exe	sc.exe
PID 2036 wrote to memory of 1556	2036	cmd.exe	sc.exe
PID 2036 wrote to memory of 1556	2036	cmd.exe	sc.exe
PID 944 wrote to memory of 1708	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 1708	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 1708	944	cmd.exe	powershell.exe
PID 944 wrote to memory of 1708	944	cmd.exe	powershell.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe
PID 1684 wrote to memory of 308	1684	6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe
"C:\Users\Admin\AppData\Local\Temp\5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1556

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:1604

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Roaming\NetSf\6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
C:\Users\Admin\AppData\Roaming\NetSf\6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-335065374-4263250628-1829373619-1000\0f5007522459c86e95ffcc62f32308f1_0e48fa26-0403-4155-8666-47cf3ae5a0ae
Filesize
1KB

MD5
d4dee3236decfdc288ae18ba31fa6c3f

SHA1
9b1c81a571f31828c9d7506f7d92f35fa5ac9759

SHA256
6613696ce18143b98001ac9efb5847b90d396dc78f9a1c2ea2589f2b49a40780

SHA512
a3bcd426cab4c5ec7dda48d478c1e7cb920774fb97fef15209806f49dbdcee0b856b6f772a6fc8dc05a830c8ea9f23a03ff8bbc5fd8437b412fff04e2c9ef4df

Download Submit
C:\Users\Admin\AppData\Roaming\NetSf\6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
Filesize
357KB

MD5
20cfd69939e88b9a5f68dcbc29805891

SHA1
ecb58bf18d88c9a3afa8c88834205b3ab8d16f83

SHA256
5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1

SHA512
c5b6e33ab30647429342984431322827f4809a314123a48155c022a28e5d9a0cc49b85cc0df3d7d31baab88a5a4c052621e5c0d2f6ddce14a5ae0b9070a6bb7f

Download Submit
\Users\Admin\AppData\Roaming\NetSf\6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
Filesize
357KB

MD5
20cfd69939e88b9a5f68dcbc29805891

SHA1
ecb58bf18d88c9a3afa8c88834205b3ab8d16f83

SHA256
5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1

SHA512
c5b6e33ab30647429342984431322827f4809a314123a48155c022a28e5d9a0cc49b85cc0df3d7d31baab88a5a4c052621e5c0d2f6ddce14a5ae0b9070a6bb7f

Download Submit
\Users\Admin\AppData\Roaming\NetSf\6a94c969219922e20b61d98bd447df39c90d6a2919611f6ae4b9c0a3032dc8e1.exe
Filesize
357KB

MD5
20cfd69939e88b9a5f68dcbc29805891

SHA1
ecb58bf18d88c9a3afa8c88834205b3ab8d16f83

SHA256
5a84c958219922e20b51d87bd446df38c90d5a2918511f5ae4b9c0a3032dc7e1

SHA512
c5b6e33ab30647429342984431322827f4809a314123a48155c022a28e5d9a0cc49b85cc0df3d7d31baab88a5a4c052621e5c0d2f6ddce14a5ae0b9070a6bb7f

Download Submit
memory/308-77-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/308-75-0x0000000000000000-mapping.dmp

Download
memory/944-58-0x0000000000000000-mapping.dmp

Download
memory/1220-67-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/1220-55-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/1220-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1484-57-0x0000000000000000-mapping.dmp

Download
memory/1556-64-0x0000000000000000-mapping.dmp

Download
memory/1604-63-0x0000000000000000-mapping.dmp

Download
memory/1684-72-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1684-61-0x0000000000000000-mapping.dmp

Download
memory/1684-83-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1708-68-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-65-0x0000000000000000-mapping.dmp

Download
memory/1708-84-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-85-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads