trickbot | eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078

Analysis

max time kernel
113s
max time network
71s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lkjh988jlk.exe
Size

731KB
MD5

d55fe9b7f4d6a8ebdfdb7614c06bf17c
SHA1

d4086fb7962f773500f7cd450fbb96f39bd9a0e6
SHA256

eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078
SHA512

51a9abf7e4e3e7479dbd409414ebce122c09dc04908dbd89f185f5db6429de11f082b28a6d05d16ed1daa822fa0d08942e4a80f7aac7fdcb93ade01fcb8a916e

Score

10^/10

trickbot man7 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000511

Botnet

man7

5.182.211.215:443

144.91.76.208:443

185.99.2.57:443

134.119.191.38:443

195.123.238.17:443

95.171.16.42:443

85.204.116.238:443

185.234.72.242:443

178.157.82.227:443

185.90.61.9:443

45.148.120.205:443

85.204.116.241:443

5.1.81.68:443

51.81.112.191:443

23.239.84.138:443

194.5.250.180:443

194.87.93.114:443

190.214.13.2:449

181.129.104.139:449

181.112.157.42:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1448 wermgr.exe
Token: SeDebugPrivilege 1448 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1448	wermgr.exe
Token: SeDebugPrivilege	1448	wermgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

lkjh988jlk.exe

description	pid	process	target process
PID 884 wrote to memory of 1448	884	lkjh988jlk.exe	wermgr.exe
PID 884 wrote to memory of 1448	884	lkjh988jlk.exe	wermgr.exe
PID 884 wrote to memory of 1448	884	lkjh988jlk.exe	wermgr.exe
PID 884 wrote to memory of 1448	884	lkjh988jlk.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\lkjh988jlk.exe
"C:\Users\Admin\AppData\Local\Temp\lkjh988jlk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-0-0x0000000000AE0000-0x0000000000B0D000-memory.dmp

Filesize
180KB

Download
memory/1448-1-0x0000000000000000-mapping.dmp

Download