Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 13:54
General
-
Target
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe
-
Size
660KB
-
MD5
c17c153f148b11a904690af5e747aa90
-
SHA1
cb7f251f980d3433876038141dfdab4756ab5c76
-
SHA256
2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed
-
SHA512
a66fa9cae65b4e72033b379194508b516a812e80a1bda5ae3f84f8d7b75cf48878e316cce665b8f549e8f8ec8397265c7172e9787cee34f9cb2a3aaecb8b4401
Score
10/10
Malware Config
Extracted
Family
trickbot
Version
100001
Botnet
tar2
C2
66.85.183.5:443
185.163.47.157:443
94.140.115.99:443
195.123.240.40:443
195.123.241.226:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe"C:\Users\Admin\AppData\Local\Temp\2f84b8a85106e702ca8a3b71db94b1dc8dda5173e9e7b1f672b28c07d37f57ed.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2212-2-0x0000000000000000-mapping.dmp
-
memory/3412-0-0x00000000023F0000-0x000000000242E000-memory.dmpFilesize
248KB
-
memory/3412-1-0x0000000002430000-0x000000000246A000-memory.dmpFilesize
232KB