Overview

overview

10

Static

static

198e096f68...86.exe

windows7_x64

10

198e096f68...86.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04/11/2020, 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    198e096f68254a4adf6ec7cbd3d6a1d34accf1e19fdee50f58cab81bbc1b9e86.exe

  • Size

    447KB

  • MD5

    4f959e2a1958c2020043c2399f4c2987

  • SHA1

    2b61b10ec489733e66250fc13a7ff38ee5d31bc1

  • SHA256

    198e096f68254a4adf6ec7cbd3d6a1d34accf1e19fdee50f58cab81bbc1b9e86

  • SHA512

    7cf93ecbabdb2a66786c709345e509c1a30beee41d466f7ff8cd3a77c0102b4046b8be482cba87e4fb0c64e8c7830b5e95f3bedb46dd094f539f281eca8e90fd

Score
10/10
trickbotkas83bankertrojan

Malware Config

Extracted

Family

trickbot

Version

1000085

Botnet

kas83

C2

187.188.162.150:449

185.28.63.109:449

83.0.245.234:449

213.241.29.89:449

62.109.31.123:443

92.63.107.14:443

92.63.107.222:443

92.63.104.211:443

62.109.25.3:443

62.109.26.208:443

37.230.113.231:443

149.154.69.126:443

95.213.191.144:443

82.202.226.229:443

37.230.113.249:443

149.154.69.129:443

185.158.114.72:443

179.43.160.50:443

94.250.254.22:443

149.154.70.248:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of WriteProcessMemory 1344 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\198e096f68254a4adf6ec7cbd3d6a1d34accf1e19fdee50f58cab81bbc1b9e86.exe
    "C:\Users\Admin\AppData\Local\Temp\198e096f68254a4adf6ec7cbd3d6a1d34accf1e19fdee50f58cab81bbc1b9e86.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Roaming\services\298f097g78365a5aeg7fd7dbe4e7a2e45addg2f29geff60g68dab82bbd2b9f87.exe
      C:\Users\Admin\AppData\Roaming\services\298f097g78365a5aeg7fd7dbe4e7a2e45addg2f29geff60g68dab82bbd2b9f87.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\SYSTEM32\svchost.exe
        svchost.exe
        3⤵
          PID:192
    • C:\Users\Admin\AppData\Roaming\services\298f097g78365a5aeg7fd7dbe4e7a2e45addg2f29geff60g68dab82bbd2b9f87.exe
      C:\Users\Admin\AppData\Roaming\services\298f097g78365a5aeg7fd7dbe4e7a2e45addg2f29geff60g68dab82bbd2b9f87.exe
      1⤵
      • Executes dropped EXE
      PID:2108
      • C:\Windows\system32\svchost.exe
        svchost.exe
        2⤵
        • Modifies data under HKEY_USERS
        PID:3136
    • C:\Users\Admin\AppData\Roaming\services\298f097g78365a5aeg7fd7dbe4e7a2e45addg2f29geff60g68dab82bbd2b9f87.exe
      C:\Users\Admin\AppData\Roaming\services\298f097g78365a5aeg7fd7dbe4e7a2e45addg2f29geff60g68dab82bbd2b9f87.exe
      1⤵
      • Executes dropped EXE
      PID:932
      • C:\Windows\system32\svchost.exe
        svchost.exe
        2⤵
          PID:3896

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/192-6-0x0000000140000000-0x0000000140021000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3636-0-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download