trickbot | 25e00e442aaad7634d767a68e254650bb075e4e8696c9727dbbd271cc04dc261

Analysis

max time kernel
137s
max time network
136s
platform
windows10_x64
resource
win10
submitted
01-08-2020 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
Size

468KB
MD5

4ea187187c675a57ee52c553496c1359
SHA1

8d6a428b658a7400ff140f276b020979a8903f10
SHA256

25e00e442aaad7634d767a68e254650bb075e4e8696c9727dbbd271cc04dc261
SHA512

0581f860396883c2f170e4b0d9664aea4050466e340a1d7f2ea6ced01e1900affb13a3c1eb5f6d5deab1ccd9a8df4aad4406348caeb662ed61c7f3a7424fe6a4

Score

10^/10

trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

ono57

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe

description	pid	process	target process
PID 3832 wrote to memory of 1748	3832	SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe	wermgr.exe
PID 3832 wrote to memory of 1748	3832	SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe	wermgr.exe
PID 3832 wrote to memory of 1748	3832	SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe	wermgr.exe
PID 3832 wrote to memory of 1748	3832	SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe	wermgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1748 wermgr.exe
Token: SeDebugPrivilege 1748 wermgr.exe
Token: SeDebugPrivilege 1748 wermgr.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe

pid process

3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
3832 SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe

description	pid	process
Token: SeDebugPrivilege	1748	wermgr.exe
Token: SeDebugPrivilege	1748	wermgr.exe
Token: SeDebugPrivilege	1748	wermgr.exe

flow	ioc
20	api.ipify.org

pid	process
3832	SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
3832	SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.140.24805.2656.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-4-0x0000000000000000-mapping.dmp

Download
memory/3832-3-0x0000000002C10000-0x0000000002C43000-memory.dmp

Filesize
204KB

Download