trickbot | 50afb75b2ba17418fe942e8f83a732a1baac7b9d979324b881c2a13043ea2d4e

Analysis

max time kernel
117s
max time network
131s
platform
windows10_x64
resource
win10
submitted
29-06-2020 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe
Size

540KB
MD5

b4e4c1c7ad5e7807415252e200012b05
SHA1

e5654dafbd641f451ab4a325e22b3fa8f7116ed9
SHA256

50afb75b2ba17418fe942e8f83a732a1baac7b9d979324b881c2a13043ea2d4e
SHA512

c47ca21aa302fc54a825fd056ae5694063d19788252728b3a593115bee216b54082c1f17829a884c63b5e4484b4c821a340195fe559d279a9169c94220084528

Score

10^/10

trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

ono51

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe

description	pid	process	target process
PID 3848 wrote to memory of 420	3848	SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe	wermgr.exe
PID 3848 wrote to memory of 420	3848	SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe	wermgr.exe
PID 3848 wrote to memory of 420	3848	SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe	wermgr.exe
PID 3848 wrote to memory of 420	3848	SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe	wermgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 420 wermgr.exe
Token: SeDebugPrivilege 420 wermgr.exe
Token: SeDebugPrivilege 420 wermgr.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ipinfo.io

description	pid	process
Token: SeDebugPrivilege	420	wermgr.exe
Token: SeDebugPrivilege	420	wermgr.exe
Token: SeDebugPrivilege	420	wermgr.exe

flow	ioc
11	ipinfo.io

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.b4e4c1c7ad5e7807.15807.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/420-1-0x0000000000000000-mapping.dmp

Download
memory/3848-0-0x00000000021F0000-0x0000000002223000-memory.dmp

Filesize
204KB

Download