trickbot | c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c.exe
Size

100KB
MD5

78face6532ea097b73d507f3e06bbcac
SHA1

7bb03b4a49477e3972cafe3609d42a912ef6c770
SHA256

c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c
SHA512

1d6536b0f2ad3349a4d7f7d44ce90da02524fb0ff9451cb2089cb046863cb1024b46c56f4f7615394626f554ae1e71f57ce3cb9441fa7040e66143f8c37787e1
SSDEEP

3072:ykszBKvtbJHYzfMbiGcfQaESRYIl6Q1TTi7:yksFKvgMb4fQCR76Q

Score

10^/10

trickbot ono9 banker discovery trojan

Malware Config

Extracted

Family

trickbot

Version

1000451

Botnet

ono9

172.245.241.25:443

91.235.129.212:443

195.123.233.162:443

193.124.176.170:443

206.217.143.91:443

23.94.137.179:443

23.94.137.223:443

198.46.190.37:443

92.38.171.12:443

195.123.246.2:443

89.105.203.180:443

104.193.252.147:443

195.133.196.102:443

185.252.144.213:443

195.133.144.87:443

78.155.206.85:443

190.154.203.218:449

189.80.134.122:449

125.99.253.34:449

191.37.181.152:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Executes dropped EXE 1 IoCs

pid	Process
2204	c3f73089ed27792ce22bdcc48ff8ffa008018f11e8b9ae0faa08d3d8b387d88c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3f73089ed27792ce22bdcc48ff8ffa008018f11e8b9ae0faa08d3d8b387d88c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2204	c3f73089ed27792ce22bdcc48ff8ffa008018f11e8b9ae0faa08d3d8b387d88c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2204	2000	taskeng.exe	32
PID 2000 wrote to memory of 2204	2000	taskeng.exe	32
PID 2000 wrote to memory of 2204	2000	taskeng.exe	32
PID 2000 wrote to memory of 2204	2000	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c.exe
"C:\Users\Admin\AppData\Local\Temp\c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {E5A440C3-DD8A-4DA1-80C2-36BD10D02233} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Roaming\NetLibs14\c3f73089ed27792ce22bdcc48ff8ffa008018f11e8b9ae0faa08d3d8b387d88c.exe
  C:\Users\Admin\AppData\Roaming\NetLibs14\c3f73089ed27792ce22bdcc48ff8ffa008018f11e8b9ae0faa08d3d8b387d88c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NetLibs14\c3f73089ed27792ce22bdcc48ff8ffa008018f11e8b9ae0faa08d3d8b387d88c.exe

Filesize
100KB

MD5
78face6532ea097b73d507f3e06bbcac

SHA1
7bb03b4a49477e3972cafe3609d42a912ef6c770

SHA256
c3f53089ed25572ce22bdcc48ff8ffa008018f11e6b7ae0faa06d3d6b365d68c

SHA512
1d6536b0f2ad3349a4d7f7d44ce90da02524fb0ff9451cb2089cb046863cb1024b46c56f4f7615394626f554ae1e71f57ce3cb9441fa7040e66143f8c37787e1

Download Submit