Overview

overview

10

Static

static

10

tb.exe

windows7-x64

10

tb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2022 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tb.exe

  • Size

    163KB

  • MD5

    a5b4f5aa908d9d51cfeec04116b8ace4

  • SHA1

    62d6564ffde2940e30db9def1905becd7840cf05

  • SHA256

    7d6f0dab906d853673b009003fb407769490faeb832efab18a684f426db421b2

  • SHA512

    c884f0f28752b9693ea9733a2b66fffcba3b51b950a7c6cbc7fe61370ec3437d1fcfcd571ddef63f5d9f1af42aa3fa5faf91bc1dc3bfbad5be2afc6dfcb345e2

  • SSDEEP

    3072:M+ucZmcRrrtlxqay6w9HNsKElYqJZZQ/vjk75x3iLMzf7zfGJwJ1QfqQ:M+BZhnldm9lshJUqN7z+JsQCQ

Score
10/10
trickbotbankertrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 5 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tb.exe
    "C:\Users\Admin\AppData\Local\Temp\tb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
      C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:368
    • C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
      C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:1052

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
        Filesize

        163KB

        MD5

        a5b4f5aa908d9d51cfeec04116b8ace4

        SHA1

        62d6564ffde2940e30db9def1905becd7840cf05

        SHA256

        7d6f0dab906d853673b009003fb407769490faeb832efab18a684f426db421b2

        SHA512

        c884f0f28752b9693ea9733a2b66fffcba3b51b950a7c6cbc7fe61370ec3437d1fcfcd571ddef63f5d9f1af42aa3fa5faf91bc1dc3bfbad5be2afc6dfcb345e2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
        Filesize

        163KB

        MD5

        a5b4f5aa908d9d51cfeec04116b8ace4

        SHA1

        62d6564ffde2940e30db9def1905becd7840cf05

        SHA256

        7d6f0dab906d853673b009003fb407769490faeb832efab18a684f426db421b2

        SHA512

        c884f0f28752b9693ea9733a2b66fffcba3b51b950a7c6cbc7fe61370ec3437d1fcfcd571ddef63f5d9f1af42aa3fa5faf91bc1dc3bfbad5be2afc6dfcb345e2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\WNetval\tb.exe
        Filesize

        163KB

        MD5

        a5b4f5aa908d9d51cfeec04116b8ace4

        SHA1

        62d6564ffde2940e30db9def1905becd7840cf05

        SHA256

        7d6f0dab906d853673b009003fb407769490faeb832efab18a684f426db421b2

        SHA512

        c884f0f28752b9693ea9733a2b66fffcba3b51b950a7c6cbc7fe61370ec3437d1fcfcd571ddef63f5d9f1af42aa3fa5faf91bc1dc3bfbad5be2afc6dfcb345e2

        Download Submit
      • memory/368-141-0x0000000000000000-mapping.dmp
        Download
      • memory/368-143-0x0000000010000000-0x000000001001F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1052-154-0x0000000000000000-mapping.dmp
        Download
      • memory/2444-136-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2444-132-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/4484-149-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/4484-160-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/5012-133-0x0000000000000000-mapping.dmp
        Download
      • memory/5012-138-0x0000000010000000-0x0000000010007000-memory.dmp
        Filesize

        28KB

        Download
      • memory/5012-147-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download