trickbot | 2af2a7486d3c4e43c3aa46c0bf7e2765b7b2514510753ed2d2f91fe3cd22dfcf

General

Target

2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe
Size

523KB
MD5

58ba75e450aeb628b22394c0daafbe2a
SHA1

484c19427f25874af502f8af15f48dd32bce8f4f
SHA256

2af2a7486d3c4e43c3aa46c0bf7e2765b7b2514510753ed2d2f91fe3cd22dfcf
SHA512

5a76bedffab38ce7b8ba108de914db27fc9787c16e0aa400af48682a65b003c76445129807fbb8fa462d7df28efdef21acb202867f4a349ecaf09cf4995e77fa
SSDEEP

12288:Zx1Q61iHsXYvfVpMODDawkCurdEtttYE3/y8gRYdqHbmJ:ZXQUIsQpMsequrmGCyGk7mJ

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2004-10-0x00000000002C0000-0x00000000002EE000-memory.dmp	trickbot_loader32
behavioral1/memory/2004-13-0x00000000002C0000-0x00000000002EE000-memory.dmp	trickbot_loader32
behavioral1/memory/2004-12-0x0000000000280000-0x00000000002AC000-memory.dmp	trickbot_loader32
behavioral1/memory/2004-16-0x00000000002C0000-0x00000000002EE000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
2004	аНаоすは래별.exe
2672	аНаоすは래별.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe
2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	аНаоすは래별.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	аНаоすは래별.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1016	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe
2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe
2004	аНаоすは래별.exe
2004	аНаоすは래별.exe
2672	аНаоすは래별.exe
2672	аНаоすは래별.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2004	2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe	30
PID 2520 wrote to memory of 2004	2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe	30
PID 2520 wrote to memory of 2004	2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe	30
PID 2520 wrote to memory of 2004	2520	2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe	30
PID 2004 wrote to memory of 2692	2004	аНаоすは래별.exe	31
PID 2004 wrote to memory of 2692	2004	аНаоすは래별.exe	31
PID 2004 wrote to memory of 2692	2004	аНаоすは래별.exe	31
PID 2004 wrote to memory of 2692	2004	аНаоすは래별.exe	31
PID 2004 wrote to memory of 2692	2004	аНаоすは래별.exe	31
PID 2004 wrote to memory of 2692	2004	аНаоすは래별.exe	31
PID 2896 wrote to memory of 2672	2896	taskeng.exe	34
PID 2896 wrote to memory of 2672	2896	taskeng.exe	34
PID 2896 wrote to memory of 2672	2896	taskeng.exe	34
PID 2896 wrote to memory of 2672	2896	taskeng.exe	34
PID 2672 wrote to memory of 1016	2672	аНаоすは래별.exe	35
PID 2672 wrote to memory of 1016	2672	аНаоすは래별.exe	35
PID 2672 wrote to memory of 1016	2672	аНаоすは래별.exe	35
PID 2672 wrote to memory of 1016	2672	аНаоすは래별.exe	35
PID 2672 wrote to memory of 1016	2672	аНаоすは래별.exe	35
PID 2672 wrote to memory of 1016	2672	аНаоすは래별.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_58ba75e450aeb628b22394c0daafbe2a_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\ProgramData\аНаоすは래별.exe
  "C:\ProgramData\аНаоすは래별.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {F1FA42E9-CE9F-42A4-97AB-0B274F02D023} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe
  C:\Users\Admin\AppData\Roaming\NuiGet\аНаоすは래별.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\аНаоすは래별.exe

Filesize
523KB

MD5
58ba75e450aeb628b22394c0daafbe2a

SHA1
484c19427f25874af502f8af15f48dd32bce8f4f

SHA256
2af2a7486d3c4e43c3aa46c0bf7e2765b7b2514510753ed2d2f91fe3cd22dfcf

SHA512
5a76bedffab38ce7b8ba108de914db27fc9787c16e0aa400af48682a65b003c76445129807fbb8fa462d7df28efdef21acb202867f4a349ecaf09cf4995e77fa

Download Submit
memory/2004-10-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2004-13-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2004-12-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2004-15-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2004-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2004-16-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2692-17-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2692-19-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing