trickbot | 332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af

General

Target

332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe
Size

456KB
MD5

92a1c42ec74509a9adbf7fc75b883744
SHA1

503be973393e658c26398129787a76f1be78ed9d
SHA256

332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af
SHA512

e9b25c38d90423be639bd321330ff9115b1a9de2c5d276b487a9b7ed52aecd70ca7f0889ceb9ba9906b389caffff147231daf5010c919f99b9b71aa63bfa80f2
SSDEEP

6144:B0NHLXu06G10lVMuofe6FC5T+9GvoiOMhV1v5iulsUUg0GyRo/vAGhwd/K6786TQ:mFLXuhXVMuTVT+IQiO0V5blsJGyCMbGf

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 11 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4972-133-0x00000000007E0000-0x000000000080B000-memory.dmp	trickbot_loader32
behavioral2/memory/5032-138-0x0000000000400000-0x0000000000469000-memory.dmp	trickbot_loader32
behavioral2/memory/5032-139-0x00000000006E0000-0x000000000070B000-memory.dmp	trickbot_loader32
behavioral2/memory/4972-140-0x0000000000400000-0x0000000000469000-memory.dmp	trickbot_loader32
behavioral2/memory/4972-141-0x00000000007E0000-0x000000000080B000-memory.dmp	trickbot_loader32
behavioral2/memory/5032-152-0x0000000000400000-0x0000000000469000-memory.dmp	trickbot_loader32
behavioral2/memory/5032-153-0x00000000006E0000-0x000000000070B000-memory.dmp	trickbot_loader32
behavioral2/memory/4048-155-0x0000000000400000-0x0000000000469000-memory.dmp	trickbot_loader32
behavioral2/memory/4048-156-0x00000000001C0000-0x00000000001EB000-memory.dmp	trickbot_loader32
behavioral2/memory/4048-167-0x0000000000400000-0x0000000000469000-memory.dmp	trickbot_loader32
behavioral2/memory/4048-168-0x00000000001C0000-0x00000000001EB000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe

pid	process
5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe

description pid process

Token: SeTcbPrivilege 4048 332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe

flow	ioc
40	wtfismyip.com

description	pid	process
Token: SeTcbPrivilege	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe

description	pid	process	target process
PID 4972 wrote to memory of 5032	4972	332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
PID 4972 wrote to memory of 5032	4972	332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
PID 4972 wrote to memory of 5032	4972	332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 5032 wrote to memory of 1668	5032	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe
PID 4048 wrote to memory of 2432	4048	332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe
"C:\Users\Admin\AppData\Local\Temp\332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1668

C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\0f5007522459c86e95ffcc62f32308f1_9be0bf4d-f8db-4af4-be85-dc38433c9501
Filesize
1KB

MD5
363a6ec4503251a37b97b5a232f4bfc5

SHA1
c2fde1648b6129f2715437fa3805ba9b0c0d17b0

SHA256
85a784f0fcb2b25e7a7970f35732da1bdad59227c6604c41294531e1068eb7e4

SHA512
7c83aeaedc155d37b6d2c488c419c6a056ea54b98e7d16d0f3a338f61f59c94cb8c98dc3b51cb938eb0b527e47dcb03859d1bf1bdf68adf41d37057529dcb98c

Download Submit
C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
Filesize
456KB

MD5
92a1c42ec74509a9adbf7fc75b883744

SHA1
503be973393e658c26398129787a76f1be78ed9d

SHA256
332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af

SHA512
e9b25c38d90423be639bd321330ff9115b1a9de2c5d276b487a9b7ed52aecd70ca7f0889ceb9ba9906b389caffff147231daf5010c919f99b9b71aa63bfa80f2

Download Submit
C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
Filesize
456KB

MD5
92a1c42ec74509a9adbf7fc75b883744

SHA1
503be973393e658c26398129787a76f1be78ed9d

SHA256
332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af

SHA512
e9b25c38d90423be639bd321330ff9115b1a9de2c5d276b487a9b7ed52aecd70ca7f0889ceb9ba9906b389caffff147231daf5010c919f99b9b71aa63bfa80f2

Download Submit
C:\Users\Admin\AppData\Roaming\wnetwork\332f89bcb0db2d1559dc2bb1d9396abcf36758f13fa7370353fc98b9d893a1af.exe
Filesize
456KB

MD5
92a1c42ec74509a9adbf7fc75b883744

SHA1
503be973393e658c26398129787a76f1be78ed9d

SHA256
332f79bcb0db2d1448dc2bb1d9385abcf35647f13fa6360343fc87b9d793a1af

SHA512
e9b25c38d90423be639bd321330ff9115b1a9de2c5d276b487a9b7ed52aecd70ca7f0889ceb9ba9906b389caffff147231daf5010c919f99b9b71aa63bfa80f2

Download Submit
memory/1668-146-0x0000000000000000-mapping.dmp

Download
memory/1668-148-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2432-161-0x0000000000000000-mapping.dmp

Download
memory/4048-155-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4048-168-0x00000000001C0000-0x00000000001EB000-memory.dmp

Filesize
172KB

Download
memory/4048-167-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4048-156-0x00000000001C0000-0x00000000001EB000-memory.dmp

Filesize
172KB

Download
memory/4972-132-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4972-141-0x00000000007E0000-0x000000000080B000-memory.dmp

Filesize
172KB

Download
memory/4972-140-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4972-133-0x00000000007E0000-0x000000000080B000-memory.dmp

Filesize
172KB

Download
memory/5032-139-0x00000000006E0000-0x000000000070B000-memory.dmp

Filesize
172KB

Download
memory/5032-134-0x0000000000000000-mapping.dmp

Download
memory/5032-153-0x00000000006E0000-0x000000000070B000-memory.dmp

Filesize
172KB

Download
memory/5032-152-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5032-138-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5032-143-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads