trickbot | 6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e

General

Target

9c6a0c40e596a7_JC.exe
Size

534KB
MD5

9c6a0c40e596a79464d2b57155a2c6bc
SHA1

fdf10b3c69fb89bddf27cd99d1b8f6519fb38ad8
SHA256

6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e
SHA512

2263f4d6f84459b602da654cfe3c763fa2fb80c926273f1b16c477d15fcbdcd3098db66e6b794d57149793ce0fd038bbac959ea0fd44194f3397459a5d386e91
SSDEEP

12288:Zx1Q61iHsXYvfVpMODDawkCurdEtttYx1VIRdPTOr:ZXQUIsQpMsequrmGx8rOr

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3672-144-0x0000000002660000-0x000000000268E000-memory.dmp	trickbot_loader32
behavioral2/memory/3672-145-0x0000000002630000-0x000000000265C000-memory.dmp	trickbot_loader32
behavioral2/memory/3672-147-0x0000000002660000-0x000000000268E000-memory.dmp	trickbot_loader32
behavioral2/memory/3672-150-0x0000000002660000-0x000000000268E000-memory.dmp	trickbot_loader32
behavioral2/memory/3032-159-0x0000000000D50000-0x0000000000D7E000-memory.dmp	trickbot_loader32
behavioral2/memory/3032-162-0x0000000000D50000-0x0000000000D7E000-memory.dmp	trickbot_loader32

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	9c6a0c40e596a7_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
3672	аНаоすは래별.exe
3032	аНаоすは래별.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2632	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4368	9c6a0c40e596a7_JC.exe
4368	9c6a0c40e596a7_JC.exe
3672	аНаоすは래별.exe
3672	аНаоすは래별.exe
3032	аНаоすは래별.exe
3032	аНаоすは래별.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3672	4368	9c6a0c40e596a7_JC.exe	86
PID 4368 wrote to memory of 3672	4368	9c6a0c40e596a7_JC.exe	86
PID 4368 wrote to memory of 3672	4368	9c6a0c40e596a7_JC.exe	86
PID 3672 wrote to memory of 5016	3672	аНаоすは래별.exe	96
PID 3672 wrote to memory of 5016	3672	аНаоすは래별.exe	96
PID 3672 wrote to memory of 5016	3672	аНаоすは래별.exe	96
PID 3672 wrote to memory of 5016	3672	аНаоすは래별.exe	96
PID 3032 wrote to memory of 2632	3032	аНаоすは래별.exe	103
PID 3032 wrote to memory of 2632	3032	аНаоすは래별.exe	103
PID 3032 wrote to memory of 2632	3032	аНаоすは래별.exe	103
PID 3032 wrote to memory of 2632	3032	аНаоすは래별.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9c6a0c40e596a7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9c6a0c40e596a7_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368
- C:\ProgramData\аНаоすは래별.exe
  "C:\ProgramData\аНаоすは래별.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:5016

C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\аНаоすは래별.exe

Filesize
534KB

MD5
9c6a0c40e596a79464d2b57155a2c6bc

SHA1
fdf10b3c69fb89bddf27cd99d1b8f6519fb38ad8

SHA256
6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e

SHA512
2263f4d6f84459b602da654cfe3c763fa2fb80c926273f1b16c477d15fcbdcd3098db66e6b794d57149793ce0fd038bbac959ea0fd44194f3397459a5d386e91

Download Submit
C:\ProgramData\аНаоすは래별.exe

Filesize
534KB

MD5
9c6a0c40e596a79464d2b57155a2c6bc

SHA1
fdf10b3c69fb89bddf27cd99d1b8f6519fb38ad8

SHA256
6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e

SHA512
2263f4d6f84459b602da654cfe3c763fa2fb80c926273f1b16c477d15fcbdcd3098db66e6b794d57149793ce0fd038bbac959ea0fd44194f3397459a5d386e91

Download Submit
C:\ProgramData\аНаоすは래별.exe

Filesize
534KB

MD5
9c6a0c40e596a79464d2b57155a2c6bc

SHA1
fdf10b3c69fb89bddf27cd99d1b8f6519fb38ad8

SHA256
6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e

SHA512
2263f4d6f84459b602da654cfe3c763fa2fb80c926273f1b16c477d15fcbdcd3098db66e6b794d57149793ce0fd038bbac959ea0fd44194f3397459a5d386e91

Download Submit
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe

Filesize
534KB

MD5
9c6a0c40e596a79464d2b57155a2c6bc

SHA1
fdf10b3c69fb89bddf27cd99d1b8f6519fb38ad8

SHA256
6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e

SHA512
2263f4d6f84459b602da654cfe3c763fa2fb80c926273f1b16c477d15fcbdcd3098db66e6b794d57149793ce0fd038bbac959ea0fd44194f3397459a5d386e91

Download Submit
C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe

Filesize
534KB

MD5
9c6a0c40e596a79464d2b57155a2c6bc

SHA1
fdf10b3c69fb89bddf27cd99d1b8f6519fb38ad8

SHA256
6d69948642f06db0f507294574ffcc9165a6a4c425cda8c6b9ceeebddf74d44e

SHA512
2263f4d6f84459b602da654cfe3c763fa2fb80c926273f1b16c477d15fcbdcd3098db66e6b794d57149793ce0fd038bbac959ea0fd44194f3397459a5d386e91

Download Submit
memory/2632-165-0x00000263AE140000-0x00000263AE15E000-memory.dmp

Filesize
120KB

Download
memory/2632-163-0x00000263AE140000-0x00000263AE15E000-memory.dmp

Filesize
120KB

Download
memory/3032-161-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3032-162-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/3032-160-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/3032-159-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/3672-145-0x0000000002630000-0x000000000265C000-memory.dmp

Filesize
176KB

Download
memory/3672-150-0x0000000002660000-0x000000000268E000-memory.dmp

Filesize
184KB

Download
memory/3672-149-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3672-148-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3672-147-0x0000000002660000-0x000000000268E000-memory.dmp

Filesize
184KB

Download
memory/3672-144-0x0000000002660000-0x000000000268E000-memory.dmp

Filesize
184KB

Download
memory/5016-153-0x00000211C1A60000-0x00000211C1A7E000-memory.dmp

Filesize
120KB

Download
memory/5016-151-0x00000211C1A60000-0x00000211C1A7E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing