Analysis

  • max time kernel
    600s
  • max time network
    598s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 18:53

General

  • Target

    asdpogasdjabn.exe

  • Size

    660KB

  • MD5

    3ba7d3dbc17ce640e0bb3dd5f989169b

  • SHA1

    84ee0b6e02339f1deb33d75693551db444923ba8

  • SHA256

    52da51085e5c6d650abf866b1268ccd81d6c0b2c424e12807dc0ac176ac8c929

  • SHA512

    3a683b35dc6b6c17de5a21171625c3fb5259d60c73867aa81b89cedeef61f1b95cce099cc5bb4fdeb2ddf7f2f0236c6d877970768a7f91330ecfbbc38931a231

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

C2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\asdpogasdjabn.exe
    "C:\Users\Admin\AppData\Local\Temp\asdpogasdjabn.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/288-0-0x0000000001F20000-0x0000000001F5E000-memory.dmp

    Filesize

    248KB

  • memory/288-1-0x0000000001F60000-0x0000000001F9A000-memory.dmp

    Filesize

    232KB