trickbot | 0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362

General

Target

0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe
Size

314KB
MD5

2da1d4cc6c7a815a9b644475060c8c85
SHA1

305864b19b3bacea25243bac415264b401e34d6b
SHA256

0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362
SHA512

f9f47ac6a4abe7ab2cb91d0f4e6f20b4dc7c28b83df588010191adb30031865e41cc0fff8f98c4226085b0bd9c2e1375bfa5f1e4c58868b3b9380aeaba198ed2
SSDEEP

6144:Pu1TYYRYx0SxYYq1eIk/M9W9MlBkwaUVAv4zDKGvfYYwXe:QYYXSqC/Mw9MjxAvQXYZXe

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3220-132-0x0000000001500000-0x000000000152B000-memory.dmp	trickbot_loader32
behavioral2/memory/3220-133-0x0000000001500000-0x000000000152B000-memory.dmp	trickbot_loader32
behavioral2/memory/3220-137-0x0000000001500000-0x000000000152B000-memory.dmp	trickbot_loader32
behavioral2/memory/4932-139-0x0000000000CF0000-0x0000000000D1B000-memory.dmp	trickbot_loader32
behavioral2/memory/4932-150-0x0000000000CF0000-0x0000000000D1B000-memory.dmp	trickbot_loader32
behavioral2/memory/760-152-0x00000000013B0000-0x00000000013DB000-memory.dmp	trickbot_loader32
behavioral2/memory/760-163-0x00000000013B0000-0x00000000013DB000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe

pid	process
4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

49 ident.me
48 ident.me
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe

description pid process

Token: SeTcbPrivilege 760 0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe

flow	ioc
49	ident.me
48	ident.me

description	pid	process
Token: SeTcbPrivilege	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe

description	pid	process	target process
PID 3220 wrote to memory of 4932	3220	0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
PID 3220 wrote to memory of 4932	3220	0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
PID 3220 wrote to memory of 4932	3220	0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 4932 wrote to memory of 4824	4932	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe
PID 760 wrote to memory of 2772	760	0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe
"C:\Users\Admin\AppData\Local\Temp\0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4824

C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2295526160-1155304984-640977766-1000\0f5007522459c86e95ffcc62f32308f1_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d
Filesize
1KB

MD5
f4e41db7fd999620e725f054a5d0d2ce

SHA1
e0ad06ded2d50cafed56c48a70197a5ad4b49a4f

SHA256
a23db3994d4b6dbf5d1e403f16b13fadf7e0611ea306b28ad03aaabebad54990

SHA512
3f893d7a115b20d549d91920e24997859425e323d17e353ddf1a1046e830372aff839976d50f458af222e47e6cd8140e9c610b62c4ca174648b35ba3fb16c703

Download Submit
C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
Filesize
314KB

MD5
2da1d4cc6c7a815a9b644475060c8c85

SHA1
305864b19b3bacea25243bac415264b401e34d6b

SHA256
0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362

SHA512
f9f47ac6a4abe7ab2cb91d0f4e6f20b4dc7c28b83df588010191adb30031865e41cc0fff8f98c4226085b0bd9c2e1375bfa5f1e4c58868b3b9380aeaba198ed2

Download Submit
C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
Filesize
314KB

MD5
2da1d4cc6c7a815a9b644475060c8c85

SHA1
305864b19b3bacea25243bac415264b401e34d6b

SHA256
0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362

SHA512
f9f47ac6a4abe7ab2cb91d0f4e6f20b4dc7c28b83df588010191adb30031865e41cc0fff8f98c4226085b0bd9c2e1375bfa5f1e4c58868b3b9380aeaba198ed2

Download Submit
C:\Users\Admin\AppData\Roaming\appnet\0f577eebf215bea618775f3fb35099deb9f12f8910c0d972d8d7968c9ca09372.exe
Filesize
314KB

MD5
2da1d4cc6c7a815a9b644475060c8c85

SHA1
305864b19b3bacea25243bac415264b401e34d6b

SHA256
0f466eebf214bea517664f3fb34099deb9f12f7910c0d962d7d6957c8ca09362

SHA512
f9f47ac6a4abe7ab2cb91d0f4e6f20b4dc7c28b83df588010191adb30031865e41cc0fff8f98c4226085b0bd9c2e1375bfa5f1e4c58868b3b9380aeaba198ed2

Download Submit
memory/760-152-0x00000000013B0000-0x00000000013DB000-memory.dmp

Filesize
172KB

Download
memory/760-163-0x00000000013B0000-0x00000000013DB000-memory.dmp

Filesize
172KB

Download
memory/2772-157-0x0000000000000000-mapping.dmp

Download
memory/3220-133-0x0000000001500000-0x000000000152B000-memory.dmp

Filesize
172KB

Download
memory/3220-137-0x0000000001500000-0x000000000152B000-memory.dmp

Filesize
172KB

Download
memory/3220-132-0x0000000001500000-0x000000000152B000-memory.dmp

Filesize
172KB

Download
memory/4824-144-0x0000000000000000-mapping.dmp

Download
memory/4824-146-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4932-134-0x0000000000000000-mapping.dmp

Download
memory/4932-139-0x0000000000CF0000-0x0000000000D1B000-memory.dmp

Filesize
172KB

Download
memory/4932-141-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4932-150-0x0000000000CF0000-0x0000000000D1B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads