trickbot | 6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

General

Target

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
Size

368KB
MD5

ce0d380468c41fbc489fcaefcee3d211
SHA1

132fb83fa51c9624d2e5ddd6e5f40751ac839c63
SHA256

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3
SHA512

7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qh:emSuOcHmnYhrDMTrban4qh

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4960-132-0x0000000001410000-0x0000000001439000-memory.dmp	trickbot_loader32
behavioral2/memory/5080-137-0x0000000001050000-0x0000000001079000-memory.dmp	trickbot_loader32
behavioral2/memory/4960-138-0x0000000001410000-0x0000000001439000-memory.dmp	trickbot_loader32
behavioral2/memory/5080-149-0x0000000001050000-0x0000000001079000-memory.dmp	trickbot_loader32
behavioral2/memory/3340-151-0x0000000001450000-0x0000000001479000-memory.dmp	trickbot_loader32
behavioral2/memory/3340-162-0x0000000001450000-0x0000000001479000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

pid	process
5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

description pid process

Token: SeTcbPrivilege 3340 7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

description	pid	process
Token: SeTcbPrivilege	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe

description	pid	process	target process
PID 4960 wrote to memory of 5080	4960	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 4960 wrote to memory of 5080	4960	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 4960 wrote to memory of 5080	4960	6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 5080 wrote to memory of 372	5080	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe
PID 3340 wrote to memory of 3172	3340	7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe
"C:\Users\Admin\AppData\Local\Temp\6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:372

C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\0f5007522459c86e95ffcc62f32308f1_9be0bf4d-f8db-4af4-be85-dc38433c9501
Filesize
1KB

MD5
bcd07bbd1c111ae67e12072e8d39c356

SHA1
bcff0b27d0e631d3988d8f2cd37088e51a79d483

SHA256
ffab53bc698f686dea114dd7fd0fe54f71b8d344f4296f7c5257b18d6bad6d06

SHA512
a46b0414c2db7472d14f521883318e3eb2587cc4ad726a23f35ccfbceddb292a889699bf0878b5983ad9fbf932748a5228ee57b6533fb1228ece3711419ca8fd

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
Filesize
368KB

MD5
ce0d380468c41fbc489fcaefcee3d211

SHA1
132fb83fa51c9624d2e5ddd6e5f40751ac839c63

SHA256
6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

SHA512
7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
Filesize
368KB

MD5
ce0d380468c41fbc489fcaefcee3d211

SHA1
132fb83fa51c9624d2e5ddd6e5f40751ac839c63

SHA256
6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

SHA512
7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7c4b3d61fe4c9c68b9e4cc2c31cd8970e48f77937e4ed4d321a0984b94204ee3.exe
Filesize
368KB

MD5
ce0d380468c41fbc489fcaefcee3d211

SHA1
132fb83fa51c9624d2e5ddd6e5f40751ac839c63

SHA256
6c4b3d51fe4c8c57b9e4cc2c31cd7960e47f66936e4ed4d321a0874b94204ee3

SHA512
7c15e5648f9250522dd5279eb1d9b2c8fe6db0a572501856cf8d4c66161a4b73d3b28a4462a5c3900d665cdffd26391ea78ea8b9941c3e7ef903611ea10c0a38

Download Submit
memory/372-145-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/372-143-0x0000000000000000-mapping.dmp

Download
memory/3172-156-0x0000000000000000-mapping.dmp

Download
memory/3340-151-0x0000000001450000-0x0000000001479000-memory.dmp

Filesize
164KB

Download
memory/3340-162-0x0000000001450000-0x0000000001479000-memory.dmp

Filesize
164KB

Download
memory/4960-138-0x0000000001410000-0x0000000001439000-memory.dmp

Filesize
164KB

Download
memory/4960-132-0x0000000001410000-0x0000000001439000-memory.dmp

Filesize
164KB

Download
memory/5080-137-0x0000000001050000-0x0000000001079000-memory.dmp

Filesize
164KB

Download
memory/5080-140-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/5080-149-0x0000000001050000-0x0000000001079000-memory.dmp

Filesize
164KB

Download
memory/5080-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads