trickbot | 8d6a0bc1fd32d4472a02505704e3ea4b5385035b2260665a73e87bf1efea9f65

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d4556afb877184a023e522c7ff762550.exe
Size

613KB
MD5

d4556afb877184a023e522c7ff762550
SHA1

84134a9035e1b3df8b3b850d4a4f78b8425824ce
SHA256

8d6a0bc1fd32d4472a02505704e3ea4b5385035b2260665a73e87bf1efea9f65
SHA512

3490f9d316af9a04ec860adec203b771553b8d4807729322d9b761d61e8d4c50b8b404a1574958e9bd1d54dac0c7e98d130f05630ad3d73ab7639ed188975c1c
SSDEEP

6144:zJB0PLonpe1h5fqpErm9cRLBOtFWaCfmAU+wDhuXCyW8bQQG7NpAv5Zk:zJB0lh5aILwtFPCfmAUtxjEG7NpAv5m

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 9 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/2112-15-0x00000000023D0000-0x00000000023F9000-memory.dmp	trickbot_loader32
behavioral2/memory/2112-19-0x00000000023D0000-0x00000000023F9000-memory.dmp	trickbot_loader32
behavioral2/memory/2112-25-0x00000000023D0000-0x00000000023F9000-memory.dmp	trickbot_loader32
behavioral2/memory/4476-44-0x0000000002AC0000-0x0000000002AE9000-memory.dmp	trickbot_loader32
behavioral2/memory/4476-59-0x0000000002AC0000-0x0000000002AE9000-memory.dmp	trickbot_loader32
behavioral2/memory/4868-80-0x0000000001610000-0x0000000001639000-memory.dmp	trickbot_loader32
behavioral2/memory/4868-94-0x0000000001610000-0x0000000001639000-memory.dmp	trickbot_loader32
behavioral2/memory/4100-117-0x00000000016B0000-0x00000000016D9000-memory.dmp	trickbot_loader32
behavioral2/memory/4100-131-0x00000000016B0000-0x00000000016D9000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
4476	NFAS.d4556afb877184a023e522c7ff762550.exe
4868	NFAS.d4556afb877184a023e522c7ff762550.exe
4100	NFAS.d4556afb877184a023e522c7ff762550.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4868	NFAS.d4556afb877184a023e522c7ff762550.exe
Token: SeTcbPrivilege	4100	NFAS.d4556afb877184a023e522c7ff762550.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2112	NEAS.d4556afb877184a023e522c7ff762550.exe
4476	NFAS.d4556afb877184a023e522c7ff762550.exe
4868	NFAS.d4556afb877184a023e522c7ff762550.exe
4100	NFAS.d4556afb877184a023e522c7ff762550.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4476	2112	NEAS.d4556afb877184a023e522c7ff762550.exe	86
PID 2112 wrote to memory of 4476	2112	NEAS.d4556afb877184a023e522c7ff762550.exe	86
PID 2112 wrote to memory of 4476	2112	NEAS.d4556afb877184a023e522c7ff762550.exe	86
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4476 wrote to memory of 4848	4476	NFAS.d4556afb877184a023e522c7ff762550.exe	87
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4868 wrote to memory of 1748	4868	NFAS.d4556afb877184a023e522c7ff762550.exe	102
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116
PID 4100 wrote to memory of 2552	4100	NFAS.d4556afb877184a023e522c7ff762550.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.d4556afb877184a023e522c7ff762550.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d4556afb877184a023e522c7ff762550.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe
  C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4848

C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1748

C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe

Filesize
613KB

MD5
d4556afb877184a023e522c7ff762550

SHA1
84134a9035e1b3df8b3b850d4a4f78b8425824ce

SHA256
8d6a0bc1fd32d4472a02505704e3ea4b5385035b2260665a73e87bf1efea9f65

SHA512
3490f9d316af9a04ec860adec203b771553b8d4807729322d9b761d61e8d4c50b8b404a1574958e9bd1d54dac0c7e98d130f05630ad3d73ab7639ed188975c1c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe

Filesize
613KB

MD5
d4556afb877184a023e522c7ff762550

SHA1
84134a9035e1b3df8b3b850d4a4f78b8425824ce

SHA256
8d6a0bc1fd32d4472a02505704e3ea4b5385035b2260665a73e87bf1efea9f65

SHA512
3490f9d316af9a04ec860adec203b771553b8d4807729322d9b761d61e8d4c50b8b404a1574958e9bd1d54dac0c7e98d130f05630ad3d73ab7639ed188975c1c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe

Filesize
613KB

MD5
d4556afb877184a023e522c7ff762550

SHA1
84134a9035e1b3df8b3b850d4a4f78b8425824ce

SHA256
8d6a0bc1fd32d4472a02505704e3ea4b5385035b2260665a73e87bf1efea9f65

SHA512
3490f9d316af9a04ec860adec203b771553b8d4807729322d9b761d61e8d4c50b8b404a1574958e9bd1d54dac0c7e98d130f05630ad3d73ab7639ed188975c1c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\NFAS.d4556afb877184a023e522c7ff762550.exe

Filesize
613KB

MD5
d4556afb877184a023e522c7ff762550

SHA1
84134a9035e1b3df8b3b850d4a4f78b8425824ce

SHA256
8d6a0bc1fd32d4472a02505704e3ea4b5385035b2260665a73e87bf1efea9f65

SHA512
3490f9d316af9a04ec860adec203b771553b8d4807729322d9b761d61e8d4c50b8b404a1574958e9bd1d54dac0c7e98d130f05630ad3d73ab7639ed188975c1c

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

Filesize
44KB

MD5
2fa68dfe4b49d54e59887ad25dc2a3ff

SHA1
26a328acb0b88c58bac4a07e79322933e5aab46d

SHA256
c0751351719c6614e53479ad4e17981eb083d726810bbd7fab3040fb7b2f14f9

SHA512
a8690cc6181d6a5ec353c9a55e0e9864c62a5b1fa6df4014de3ac1b4efdf56d809345310bb1e0dd4ee47019a38ea173c135f6798b7a8043fe8794a1389057e50

Download Submit
memory/2112-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2112-18-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-9-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-11-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-7-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-12-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-13-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-14-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-15-0x00000000023D0000-0x00000000023F9000-memory.dmp

Filesize
164KB

Download
memory/2112-3-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-19-0x00000000023D0000-0x00000000023F9000-memory.dmp

Filesize
164KB

Download
memory/2112-10-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-8-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-2-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-25-0x00000000023D0000-0x00000000023F9000-memory.dmp

Filesize
164KB

Download
memory/2112-4-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-6-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2112-5-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4100-117-0x00000000016B0000-0x00000000016D9000-memory.dmp

Filesize
164KB

Download
memory/4100-116-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4100-115-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4100-123-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/4100-131-0x00000000016B0000-0x00000000016D9000-memory.dmp

Filesize
164KB

Download
memory/4476-44-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

Filesize
164KB

Download
memory/4476-57-0x0000000003080000-0x000000000313E000-memory.dmp

Filesize
760KB

Download
memory/4476-38-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-39-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-43-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4476-36-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-46-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4476-50-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/4476-33-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-28-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-34-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-58-0x0000000003180000-0x0000000003449000-memory.dmp

Filesize
2.8MB

Download
memory/4476-59-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

Filesize
164KB

Download
memory/4476-35-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-31-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-32-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-30-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-29-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4476-37-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/4848-52-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4848-53-0x000001B0AD580000-0x000001B0AD581000-memory.dmp

Filesize
4KB

Download
memory/4868-71-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-67-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-66-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-65-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-64-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-77-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4868-78-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-80-0x0000000001610000-0x0000000001639000-memory.dmp

Filesize
164KB

Download
memory/4868-88-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/4868-92-0x0000000001C60000-0x0000000001D1E000-memory.dmp

Filesize
760KB

Download
memory/4868-94-0x0000000001610000-0x0000000001639000-memory.dmp

Filesize
164KB

Download
memory/4868-68-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-69-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-70-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-72-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-73-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-74-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4868-75-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download