trickbot | 437fc85d1ec4b73ef1a54b8626b92ca0d50a64c901dc17c19eb74d929f857d9b

Analysis

Target

Annual.bin.exe
Size

233KB
MD5

edeb0079066374d0b5d522646e0a2a62
SHA1

3a08af50c97c60b8f5984f95d31e9472e5eb1cc5
SHA256

437fc85d1ec4b73ef1a54b8626b92ca0d50a64c901dc17c19eb74d929f857d9b
SHA512

d01bae4af74bca1f1fd9c11e720bdd7f7aa1abb92f9dc626b41a7430236711984d8e7773683b724453f3dd62344664e192d8038c7a6f43c5d25757556434098d

Score

10^/10

Family

trickbot

Version

100001

Botnet

tar2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

ecc_pubkey.base64

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

6259.exe

pid process

2504 6259.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ident.me
20 ident.me
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2232 wermgr.exe

pid	process
2504	6259.exe

flow	ioc
19	ident.me
20	ident.me

description	pid	process
Token: SeDebugPrivilege	2232	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Annual.bin.exe6259.exe

description	pid	process	target process
PID 416 wrote to memory of 2504	416	Annual.bin.exe	6259.exe
PID 416 wrote to memory of 2504	416	Annual.bin.exe	6259.exe
PID 416 wrote to memory of 2504	416	Annual.bin.exe	6259.exe
PID 2504 wrote to memory of 2232	2504	6259.exe	wermgr.exe
PID 2504 wrote to memory of 2232	2504	6259.exe	wermgr.exe
PID 2504 wrote to memory of 2232	2504	6259.exe	wermgr.exe
PID 2504 wrote to memory of 2232	2504	6259.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\Annual.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Annual.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Users\Admin\AppData\Local\Temp\6259.exe
MD5
5d75b8689e2cfbfe8065752fd4c4f661

SHA1
9238d8073102fd84c752f6e65edc717944346f20

SHA256
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22

SHA512
7d842d675df4cbcb1cae10b19d3ca4d68637d98a580ae72c1a11c6a612196e4e1382093bd02dbf2a7e92c8b2aa381ab46fccdf755d2de43bc25d3af38ed86575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6259.exe
MD5
5d75b8689e2cfbfe8065752fd4c4f661

SHA1
9238d8073102fd84c752f6e65edc717944346f20

SHA256
fc3da2468a121aff5433ea738221b5e9fd962c87041654b2c88f5291e0e15f22

SHA512
7d842d675df4cbcb1cae10b19d3ca4d68637d98a580ae72c1a11c6a612196e4e1382093bd02dbf2a7e92c8b2aa381ab46fccdf755d2de43bc25d3af38ed86575

Download Submit
memory/416-0-0x0000000000BD0000-0x0000000000BF6000-memory.dmp

Filesize
152KB

Download
memory/416-1-0x0000000140000000-0x0000000140025000-memory.dmp

Filesize
148KB

Download
memory/2232-7-0x0000000000000000-mapping.dmp

Download
memory/2504-2-0x0000000000000000-mapping.dmp

Download
memory/2504-5-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/2504-6-0x0000000002240000-0x000000000227A000-memory.dmp

Filesize
232KB

Download