trickbot | d11866e458626e81d4aa4bd9fdb441bec5a684ccaf7b786acddb95377d66b72f

Resubmissions

28-10-2020 11:13

201028-y8ahpbqxx6 7

28-10-2020 00:25

201028-ndxae1c7qe 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10
submitted
28-10-2020 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fltMC7e0.exe
Size

976KB
MD5

30d365051e1c8ef9a84843ac9b10998f
SHA1

4a01901391b9899b9d07ccff4f8c4521d4644faa
SHA256

d11866e458626e81d4aa4bd9fdb441bec5a684ccaf7b786acddb95377d66b72f
SHA512

8b5a4b88943bd3920fe0ab84369f1e1577a10c869c5c8ebf78e54e84352828adf3326fb368ce6ac9915939712e912ac400bfa750ad05b13f22fb5020ab125829

Score

10^/10

trickbot mor138 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000015

Botnet

mor138

185.227.236.58:443

186.46.91.2:443

187.62.208.234:443

188.17.149.172:443

190.53.45.122:443

190.61.43.130:443

191.7.201.200:443

36.74.73.136:443

36.80.36.21:443

36.89.250.111:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2216 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fltMC7e0.exe

pid process

3836 fltMC7e0.exe
3836 fltMC7e0.exe

description	pid	process
Token: SeDebugPrivilege	2216	wermgr.exe

pid	process
3836	fltMC7e0.exe
3836	fltMC7e0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fltMC7e0.exe

description	pid	process	target process
PID 3836 wrote to memory of 2216	3836	fltMC7e0.exe	wermgr.exe
PID 3836 wrote to memory of 2216	3836	fltMC7e0.exe	wermgr.exe
PID 3836 wrote to memory of 2216	3836	fltMC7e0.exe	wermgr.exe
PID 3836 wrote to memory of 2216	3836	fltMC7e0.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\fltMC7e0.exe
"C:\Users\Admin\AppData\Local\Temp\fltMC7e0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-4-0x0000000000000000-mapping.dmp

Download
memory/3836-3-0x0000000003410000-0x000000000344B000-memory.dmp

Filesize
236KB

Download