trickbot | 3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f

General

Target

3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
Size

368KB
MD5

4bb384ef166aa19a6a08f22accccca8e
SHA1

ef112992ffaf5b43e4a0235c5f3a7562c4fb6a85
SHA256

3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f
SHA512

47bf71ac953348888fbdcd424252145c1263cce65f01ed6a8f74284455400d02c78e9841a6a787076f26b39a2b04611723f8faa2f77f77fd30f9c4cc95d21206
SSDEEP

6144:Ko5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qM:KmSuOcHmnYhrDMTrban4qM

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4240-1-0x0000000000940000-0x0000000000969000-memory.dmp	trickbot_loader32
behavioral2/memory/2120-24-0x00000000013A0000-0x00000000013C9000-memory.dmp	trickbot_loader32
behavioral2/memory/2120-9-0x00000000013A0000-0x00000000013C9000-memory.dmp	trickbot_loader32
behavioral2/memory/4240-6-0x0000000000940000-0x0000000000969000-memory.dmp	trickbot_loader32
behavioral2/memory/4928-28-0x00000000011A0000-0x00000000011C9000-memory.dmp	trickbot_loader32
behavioral2/memory/4928-42-0x00000000011A0000-0x00000000011C9000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

pid	process
2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

description pid process

Token: SeTcbPrivilege 4928 3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

description	pid	process
Token: SeTcbPrivilege	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

description	pid	process	target process
PID 4240 wrote to memory of 2120	4240	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
PID 4240 wrote to memory of 2120	4240	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
PID 4240 wrote to memory of 2120	4240	3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 2120 wrote to memory of 2824	2120	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe
PID 4928 wrote to memory of 4880	4928	3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe
"C:\Users\Admin\AppData\Local\Temp\3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2824

C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
1KB

MD5
60f22877438b918addaebce822965ebd

SHA1
487cb7dab1984550a3518db2bae280b56b499a34

SHA256
a1a3c7d5d1b80aa328148d868180df705357cc0e500c4afdfc4e4322ab4d1b1b

SHA512
6c80e774914c9ff625fc13dbf56f12c6622e8097becc9be40cb65f2da7ef3f87ae8ea051da845ebd62816eb797acbe90bd417dbd3923ae8a5f977e416c214be1

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\3ba99e304fe2979264214b1c029c3d791d82a89ca01b9d0c43c9d89f07e96c9f.exe

Filesize
368KB

MD5
4bb384ef166aa19a6a08f22accccca8e

SHA1
ef112992ffaf5b43e4a0235c5f3a7562c4fb6a85

SHA256
3ba98e304fe2868254214b1c028c3d691d72a79ca01b8d0c43c9d79f06e95c8f

SHA512
47bf71ac953348888fbdcd424252145c1263cce65f01ed6a8f74284455400d02c78e9841a6a787076f26b39a2b04611723f8faa2f77f77fd30f9c4cc95d21206

Download Submit
memory/2120-15-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2120-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2120-9-0x00000000013A0000-0x00000000013C9000-memory.dmp

Filesize
164KB

Download
memory/2120-22-0x0000000003230000-0x00000000034F9000-memory.dmp

Filesize
2.8MB

Download
memory/2120-24-0x00000000013A0000-0x00000000013C9000-memory.dmp

Filesize
164KB

Download
memory/2120-21-0x0000000003130000-0x00000000031EE000-memory.dmp

Filesize
760KB

Download
memory/2824-23-0x000002CD3DBC0000-0x000002CD3DBC1000-memory.dmp

Filesize
4KB

Download
memory/2824-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2824-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/4240-1-0x0000000000940000-0x0000000000969000-memory.dmp

Filesize
164KB

Download
memory/4240-6-0x0000000000940000-0x0000000000969000-memory.dmp

Filesize
164KB

Download
memory/4880-44-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/4928-28-0x00000000011A0000-0x00000000011C9000-memory.dmp

Filesize
164KB

Download
memory/4928-35-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/4928-40-0x0000000001D90000-0x0000000001E4E000-memory.dmp

Filesize
760KB

Download
memory/4928-41-0x0000000001E50000-0x0000000002119000-memory.dmp

Filesize
2.8MB

Download
memory/4928-42-0x00000000011A0000-0x00000000011C9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads