trickbot | 6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732

Resubmissions

16-11-2020 14:52

201116-v6vf9v4752 10

15-11-2020 22:41

201115-dq3ycmvtns 10

Analysis

max time kernel
591s
max time network
602s
platform
windows7_x64
resource
win7v20201028
submitted
16-11-2020 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe
Size

660KB
MD5

ec54f8dc5c52b45031e0dae26410882c
SHA1

aa836180c50ddba9d93e3a757ce31caa396b60ad
SHA256

6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732
SHA512

4917dd1e659afe938f48f90b0e92168e8598c982160a4135e3e13ebe28c3f0f595f4f9f2e5943d98d1d568d55a2ee6cca37345364d55abde71d1a99b398a9232

Score

10^/10

trickbot tar2 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100001

Botnet

tar2

66.85.183.5:443

185.163.47.157:443

94.140.115.99:443

195.123.240.40:443

195.123.241.226:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1724 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1724	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe

pid	process
1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe
1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe

description	pid	process	target process
PID 1892 wrote to memory of 1724	1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe	wermgr.exe
PID 1892 wrote to memory of 1724	1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe	wermgr.exe
PID 1892 wrote to memory of 1724	1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe	wermgr.exe
PID 1892 wrote to memory of 1724	1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe	wermgr.exe
PID 1892 wrote to memory of 1724	1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe	wermgr.exe
PID 1892 wrote to memory of 1724	1892	6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe
"C:\Users\Admin\AppData\Local\Temp\6c4351f71620b31a44371350bd9dc1f7e581a8dd0506691eca6f9ed9d1d41732.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-2-0x0000000000000000-mapping.dmp

Download
memory/1892-0-0x0000000001C40000-0x0000000001C7E000-memory.dmp

Filesize
248KB

Download
memory/1892-1-0x0000000001CB0000-0x0000000001CEA000-memory.dmp

Filesize
232KB

Download