trickbot | 6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

General

Target

6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
Size

368KB
MD5

362066c84500cbdd1a11ab6269eb58cb
SHA1

5e8f26c150d985ee7605c6adaad3009fb1c48a48
SHA256

6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6
SHA512

4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4q6:emSuOcHmnYhrDMTrban4q6

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/1300-134-0x00000000011E0000-0x0000000001209000-memory.dmp	trickbot_loader32
behavioral2/memory/1300-141-0x00000000011E0000-0x0000000001209000-memory.dmp	trickbot_loader32
behavioral2/memory/4940-154-0x0000000000D60000-0x0000000000D89000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4940	1300	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	86
PID 1300 wrote to memory of 4940	1300	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	86
PID 1300 wrote to memory of 4940	1300	6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe	86
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87
PID 4940 wrote to memory of 4848	4940	7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe
"C:\Users\Admin\AppData\Local\Temp\6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
  C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1420546310-613437930-2990200354-1000\0f5007522459c86e95ffcc62f32308f1_4dc48ea0-ec1c-4c48-ab6a-6232968c18bf

Filesize
1KB

MD5
b8d51a4388c7478f4f76cb3fa7f7a110

SHA1
c5ee0d0c614d1679c0b5de8e748be405ff9846b9

SHA256
fd995993d349b1c0c32144e0f12f95f51d6d5a0fa7c7869f39a41534a4489d8b

SHA512
5c8bf8296bc0aae197a2934c26409b7bcbb96e5257a2af74a9d21fa9eca3bdc35d51aa28da3ec09e1d6c9ba863fb14d89fd0158aea1a98fe50a5ac445c5262aa

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

Filesize
368KB

MD5
362066c84500cbdd1a11ab6269eb58cb

SHA1
5e8f26c150d985ee7605c6adaad3009fb1c48a48

SHA256
6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

SHA512
4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\7a80d98999d63aa3f8966cef139fd778709aeb900a1c6f602d931162a3bad9b7.exe

Filesize
368KB

MD5
362066c84500cbdd1a11ab6269eb58cb

SHA1
5e8f26c150d985ee7605c6adaad3009fb1c48a48

SHA256
6a70d87899d53aa3f7955cef138fd667609aeb900a1c5f502d831152a3bad8b6

SHA512
4c0a08a9d539838968f650595c2b8cb34fe6fb0f5ec6ace26c5632a9d87175f8e374e6c300d960a576664b155bb6929c18731e730b877784bd9c6a2d99f54f39

Download Submit
memory/1300-134-0x00000000011E0000-0x0000000001209000-memory.dmp

Filesize
164KB

Download
memory/1300-141-0x00000000011E0000-0x0000000001209000-memory.dmp

Filesize
164KB

Download
memory/4848-148-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/4848-155-0x00000230C7CA0000-0x00000230C7CA1000-memory.dmp

Filesize
4KB

Download
memory/4940-143-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4940-152-0x0000000002D10000-0x0000000002DCE000-memory.dmp

Filesize
760KB

Download
memory/4940-153-0x0000000002DF0000-0x00000000030B9000-memory.dmp

Filesize
2.8MB

Download
memory/4940-154-0x0000000000D60000-0x0000000000D89000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing