trickbot | fc15217702b332433079ccd1b797ff2e51c5305241886b03ed7ed55265a1b8eb

General

Target

FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe
Size

348KB
MD5

92c5cb082171843f72b15695a79080f7
SHA1

8fa46a9f210aaaa3a93e3e93183ff34a59b9055f
SHA256

fc37f21ce836b982ca136e18953af2b9219f526833b255a87a3fd5f6c2aff167
SHA512

5422b35c174404f9c3fd1037af702b5f4afa1016873ab33e141931cda96e78ef3818ece87f5b76aa8d59416fd98eff7ecf28504e5a420b5898d5a9c3babcc897
SSDEEP

6144:rkWQuLNawPczZLIjerLQ/pc9FpTg/yVcCmkj:JJL9kFLIer8/p+zMGfNj

Score

10^/10

trickbot jim222 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000192

Botnet

jim222

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:449

109.95.114.28:449

118.91.178.106:449

173.220.6.194:449

179.107.89.145:449

46.20.207.204:449

91.206.4.216:449

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:449

68.227.31.46:449

107.144.49.162:449

46.72.175.17:449

144.48.51.8:449

46.243.179.212:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\wsxmail\ = "0"	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exeGD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

pid	process
1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
1760	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

Loads dropped DLL 1 IoCs

Processes:

FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe

pid process

1956 FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTakeOwnershipPrivilege 2544 svchost.exe

pid	process
1956	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2544	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exeGD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

description	pid	process	target process
PID 1956 wrote to memory of 1944	1956	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 1956 wrote to memory of 1944	1956	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 1956 wrote to memory of 1944	1956	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 1956 wrote to memory of 1944	1956	FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe
PID 1944 wrote to memory of 2544	1944	GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe
"C:\Users\Admin\AppData\Local\Temp\FC37F21CE836B982CA136E18953AF2B9219F526833B255A87A3FD5F6C2AFF167.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\taskeng.exe
taskeng.exe {2E492913-7831-4C03-94A7-B26A8486ADB6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2256

C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
C:\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe
2⤵
- Executes dropped EXE
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\wsxmail\GD38G21DF937C992DA137F19963AG2C9219G627933C266A98A3GE6G7D2AGG178.exe

Filesize
348KB

MD5
92c5cb082171843f72b15695a79080f7

SHA1
8fa46a9f210aaaa3a93e3e93183ff34a59b9055f

SHA256
fc37f21ce836b982ca136e18953af2b9219f526833b255a87a3fd5f6c2aff167

SHA512
5422b35c174404f9c3fd1037af702b5f4afa1016873ab33e141931cda96e78ef3818ece87f5b76aa8d59416fd98eff7ecf28504e5a420b5898d5a9c3babcc897

Download Submit
memory/1944-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1944-9-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1944-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1956-1-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1956-0-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1956-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2544-15-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2544-14-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2544-16-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads