trickbot | dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

General

Target

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
Size

484KB
MD5

545bfdc9b1976ae0003443ff4f90eb7e
SHA1

92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326
SHA256

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740
SHA512

d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f
SSDEEP

6144:zk0Ip3PNVUaXMR7knvo62EYuWHWOQyojEHkXS6vhGQf9135F8u:z03PNVMooKHWHWnyojM6v1tEu

Score

10^/10

trickbot banker dave trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 10 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1108-55-0x0000000001CC0000-0x0000000001CF4000-memory.dmp	trickbot_loader32
behavioral1/memory/1108-63-0x0000000000290000-0x00000000002C1000-memory.dmp	trickbot_loader32
behavioral1/memory/996-65-0x0000000000390000-0x00000000003C4000-memory.dmp	trickbot_loader32
behavioral1/memory/996-70-0x0000000001DA0000-0x0000000001DD1000-memory.dmp	trickbot_loader32
behavioral1/memory/996-71-0x00000000003D0000-0x0000000000400000-memory.dmp	trickbot_loader32
behavioral1/memory/996-72-0x0000000001DA1000-0x0000000001DD1000-memory.dmp	trickbot_loader32
behavioral1/memory/996-74-0x0000000001DA1000-0x0000000001DD1000-memory.dmp	trickbot_loader32
behavioral1/memory/1692-82-0x0000000000A00000-0x0000000000A34000-memory.dmp	trickbot_loader32
behavioral1/memory/1692-87-0x0000000000A81000-0x0000000000AB1000-memory.dmp	trickbot_loader32
behavioral1/memory/1692-89-0x0000000000A81000-0x0000000000AB1000-memory.dmp	trickbot_loader32

Dave packer 4 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1108-55-0x0000000001CC0000-0x0000000001CF4000-memory.dmp	dave
behavioral1/memory/1108-63-0x0000000000290000-0x00000000002C1000-memory.dmp	dave
behavioral1/memory/996-65-0x0000000000390000-0x00000000003C4000-memory.dmp	dave
behavioral1/memory/1692-82-0x0000000000A00000-0x0000000000A34000-memory.dmp	dave

Executes dropped EXE 2 IoCs

Processes:

ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

pid process

996 ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
1692 ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

pid	process
996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

Loads dropped DLL 2 IoCs

Processes:

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe

pid	process
1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

pid	process
1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exetaskeng.exeԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe

description	pid	process	target process
PID 1108 wrote to memory of 996	1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 1108 wrote to memory of 996	1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 1108 wrote to memory of 996	1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 1108 wrote to memory of 996	1108	dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 996 wrote to memory of 1720	996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 996 wrote to memory of 1720	996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 996 wrote to memory of 1720	996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 996 wrote to memory of 1720	996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 996 wrote to memory of 1720	996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 996 wrote to memory of 1720	996	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 588 wrote to memory of 1692	588	taskeng.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 588 wrote to memory of 1692	588	taskeng.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 588 wrote to memory of 1692	588	taskeng.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 588 wrote to memory of 1692	588	taskeng.exe	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
PID 1692 wrote to memory of 1648	1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1692 wrote to memory of 1648	1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1692 wrote to memory of 1648	1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1692 wrote to memory of 1648	1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1692 wrote to memory of 1648	1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe
PID 1692 wrote to memory of 1648	1692	ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe
"C:\Users\Admin\AppData\Local\Temp\dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
"C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1720

C:\Windows\system32\taskeng.exe
taskeng.exe {22AC9021-533F-48A4-8B27-2AB105CDE741} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
C:\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
C:\Users\Admin\AppData\Roaming\windirect\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
\ProgramData\ԳայլըсԳայլըПФрКЕыԳայլըааЫ.exe
Filesize
484KB

MD5
545bfdc9b1976ae0003443ff4f90eb7e

SHA1
92e8ce006bb3c4a1ddb8d8ba8de3a90c0bbb6326

SHA256
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

SHA512
d932842447cdbfdc439908cd3885c321a62565d6941ec1fc0bbc9b9af40bccd6285c982447dc2b36d6c6fb8b8955c4dc19dc4eac3cd691113203e190e926676f

Download Submit
memory/996-65-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/996-70-0x0000000001DA0000-0x0000000001DD1000-memory.dmp

Filesize
196KB

Download
memory/996-71-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/996-72-0x0000000001DA1000-0x0000000001DD1000-memory.dmp

Filesize
192KB

Download
memory/996-74-0x0000000001DA1000-0x0000000001DD1000-memory.dmp

Filesize
192KB

Download
memory/996-75-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/996-61-0x0000000000000000-mapping.dmp

Download
memory/1108-63-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000001CC0000-0x0000000001CF4000-memory.dmp

Filesize
208KB

Download
memory/1648-90-0x0000000000060000-0x0000000000082000-memory.dmp

Filesize
136KB

Download
memory/1648-88-0x0000000000000000-mapping.dmp

Download
memory/1692-79-0x0000000000000000-mapping.dmp

Download
memory/1692-82-0x0000000000A00000-0x0000000000A34000-memory.dmp

Filesize
208KB

Download
memory/1692-87-0x0000000000A81000-0x0000000000AB1000-memory.dmp

Filesize
192KB

Download
memory/1692-89-0x0000000000A81000-0x0000000000AB1000-memory.dmp

Filesize
192KB

Download
memory/1720-77-0x0000000000060000-0x0000000000082000-memory.dmp

Filesize
136KB

Download
memory/1720-76-0x0000000000060000-0x0000000000082000-memory.dmp

Filesize
136KB

Download
memory/1720-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads