trickbot | 8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1

Analysis

max time kernel
112s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe
Size

368KB
MD5

15fc662938c9c080b36dc7152e430a89
SHA1

f02053869e205a7f28c83b1ec33aa0977ff7e368
SHA256

8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1
SHA512

856aa7ff912530589668eea31668f72db7e0aa3693e625fa20a4f1867381bb28ec0b79d0e51b9796eb79c727c6ff184b29953b27f601427f454b31e070e0c87c
SSDEEP

6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qT:emSuOcHmnYhrDMTrban4qT

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4732-1-0x0000000000B10000-0x0000000000B39000-memory.dmp	trickbot_loader32
behavioral2/memory/4732-8-0x0000000000B10000-0x0000000000B39000-memory.dmp	trickbot_loader32
behavioral2/memory/3972-9-0x00000000013E0000-0x0000000001409000-memory.dmp	trickbot_loader32
behavioral2/memory/3972-24-0x00000000013E0000-0x0000000001409000-memory.dmp	trickbot_loader32
behavioral2/memory/1272-28-0x0000000000BA0000-0x0000000000BC9000-memory.dmp	trickbot_loader32
behavioral2/memory/1272-42-0x0000000000BA0000-0x0000000000BC9000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe
1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 3972	4732	8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe	84
PID 4732 wrote to memory of 3972	4732	8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe	84
PID 4732 wrote to memory of 3972	4732	8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe	84
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 3972 wrote to memory of 3512	3972	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	85
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107
PID 1272 wrote to memory of 404	1272	9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe
"C:\Users\Admin\AppData\Local\Temp\8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Roaming\WNetval\9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe
  C:\Users\Admin\AppData\Roaming\WNetval\9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3512

C:\Users\Admin\AppData\Roaming\WNetval\9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe
C:\Users\Admin\AppData\Roaming\WNetval\9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1479699283-3000499823-2337359760-1000\0f5007522459c86e95ffcc62f32308f1_f4088cb7-eb2a-4ecc-aaae-1ec507574acf

Filesize
1KB

MD5
66b0766bcf8fc74138d0e71a476708ab

SHA1
22d09886147e206670ebebbdf9026bed91cb16fe

SHA256
9f4c04b35bca9c0e0996ce7b4bdc3f9f9cd9afe9de20cb99f51dd5e22b0ad11a

SHA512
bd5704e0c4f491a68ad53ae2a875b830b8983df83049a135d7d4ea8c2f6aee9a2e947e53f5bd85116a94dfb33161cb3b4f41a7f78087af9c760fa0380a184c1a

Download Submit
C:\Users\Admin\AppData\Roaming\WNetval\9ea99830f9b79047b9cbc67613cfe4bbbd4bec7e23f499319abc02a1b273e1c1.exe

Filesize
368KB

MD5
15fc662938c9c080b36dc7152e430a89

SHA1
f02053869e205a7f28c83b1ec33aa0977ff7e368

SHA256
8ea98730f9b69046b9cbc56513cfe4bbbd4bec6e23f488318abc02a1b263e1c1

SHA512
856aa7ff912530589668eea31668f72db7e0aa3693e625fa20a4f1867381bb28ec0b79d0e51b9796eb79c727c6ff184b29953b27f601427f454b31e070e0c87c

Download Submit
memory/404-44-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/1272-28-0x0000000000BA0000-0x0000000000BC9000-memory.dmp

Filesize
164KB

Download
memory/1272-41-0x0000000001CB0000-0x0000000001F79000-memory.dmp

Filesize
2.8MB

Download
memory/1272-42-0x0000000000BA0000-0x0000000000BC9000-memory.dmp

Filesize
164KB

Download
memory/1272-40-0x0000000001440000-0x00000000014FE000-memory.dmp

Filesize
760KB

Download
memory/1272-34-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3512-17-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3512-21-0x0000019731A30000-0x0000019731A31000-memory.dmp

Filesize
4KB

Download
memory/3512-16-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3972-9-0x00000000013E0000-0x0000000001409000-memory.dmp

Filesize
164KB

Download
memory/3972-23-0x0000000003490000-0x0000000003759000-memory.dmp

Filesize
2.8MB

Download
memory/3972-24-0x00000000013E0000-0x0000000001409000-memory.dmp

Filesize
164KB

Download
memory/3972-22-0x00000000033D0000-0x000000000348E000-memory.dmp

Filesize
760KB

Download
memory/3972-15-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/3972-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4732-1-0x0000000000B10000-0x0000000000B39000-memory.dmp

Filesize
164KB

Download
memory/4732-8-0x0000000000B10000-0x0000000000B39000-memory.dmp

Filesize
164KB

Download