trickbot | 78c267bebcafbf43b0f334ba5105b0ee2f7977ba28ce1f8915570342dce2e573

General

Target

af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe
Size

475KB
MD5

18a19c324963bb69a492accf4e9a7600
SHA1

6602ce8086c8e90c1673201830f07bc365f1187b
SHA256

af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060
SHA512

0754ca17b59e0c80495340562b5a4e3f635a78ef1453399b756123f3f07f09ed440ccd446c079997f3f6f78493278be7f6298a36123365912ad7002d907edce6
SSDEEP

6144:jCdu2xwKm4poMGNnodOXzHdl+LTaY3V0Vnfg+1zRCNyzoXeEtKyBSn:jZOrpFLQbya3VowyntjSn

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/3540-125-0x0000000002160000-0x0000000002191000-memory.dmp	trickbot_loader32
behavioral1/memory/3540-127-0x0000000002130000-0x0000000002160000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe

pid process

3540 ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3540	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exeՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe

pid	process
4156	af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe
3540	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exeՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe

description	pid	process	target process
PID 4156 wrote to memory of 3540	4156	af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
PID 4156 wrote to memory of 3540	4156	af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
PID 4156 wrote to memory of 3540	4156	af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
PID 3540 wrote to memory of 4360	3540	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe	svchost.exe
PID 3540 wrote to memory of 4360	3540	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe	svchost.exe
PID 3540 wrote to memory of 4360	3540	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe	svchost.exe
PID 3540 wrote to memory of 4360	3540	ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe
"C:\Users\Admin\AppData\Local\Temp\af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156

C:\ProgramData\ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
"C:\ProgramData\ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2656

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
Filesize
475KB

MD5
18a19c324963bb69a492accf4e9a7600

SHA1
6602ce8086c8e90c1673201830f07bc365f1187b

SHA256
af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060

SHA512
0754ca17b59e0c80495340562b5a4e3f635a78ef1453399b756123f3f07f09ed440ccd446c079997f3f6f78493278be7f6298a36123365912ad7002d907edce6

Download Submit
C:\ProgramData\ՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբիչՍրբի.exe
Filesize
475KB

MD5
18a19c324963bb69a492accf4e9a7600

SHA1
6602ce8086c8e90c1673201830f07bc365f1187b

SHA256
af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060

SHA512
0754ca17b59e0c80495340562b5a4e3f635a78ef1453399b756123f3f07f09ed440ccd446c079997f3f6f78493278be7f6298a36123365912ad7002d907edce6

Download Submit
memory/3540-125-0x0000000002160000-0x0000000002191000-memory.dmp

Filesize
196KB

Download
memory/3540-126-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3540-127-0x0000000002130000-0x0000000002160000-memory.dmp

Filesize
192KB

Download
memory/3540-128-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/4360-131-0x000001EF2AF90000-0x000001EF2AFB2000-memory.dmp

Filesize
136KB

Download
memory/4360-133-0x000001EF2AF90000-0x000001EF2AFB2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads