trickbot | 4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e

Resubmissions

17-11-2020 11:35

201117-9z6zrn6abs 10

17-11-2020 11:30

201117-5296wztk1j 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
Size

407KB
MD5

cd424ccdabd6cfac66395d687b41db6a
SHA1

78fe1f1f5547865f1cac31e36da5e970bbf05268
SHA256

4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e
SHA512

f59b6d2a210a4ef26b64597fe988c7e778cfa3f11f9f72297c11cd351f49640c56e0c102688a41be11a222531526119c0be5a68306f9fd79d45fe9df74c1acf9

Score

10^/10

trickbot tar3 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100002

Botnet

tar3

195.123.240.138:443

162.212.158.129:443

144.172.64.26:443

62.108.37.145:443

91.200.103.193:443

194.5.249.195:443

195.123.240.18:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 3680 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	3680	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 500 wrote to memory of 1468	500	regsvr32.exe	regsvr32.exe
PID 500 wrote to memory of 1468	500	regsvr32.exe	regsvr32.exe
PID 500 wrote to memory of 1468	500	regsvr32.exe	regsvr32.exe
PID 1468 wrote to memory of 3680	1468	regsvr32.exe	wermgr.exe
PID 1468 wrote to memory of 3680	1468	regsvr32.exe	wermgr.exe
PID 1468 wrote to memory of 3680	1468	regsvr32.exe	wermgr.exe
PID 1468 wrote to memory of 3680	1468	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-0-0x0000000000000000-mapping.dmp

Download
memory/1468-1-0x00000000031C0000-0x00000000031F8000-memory.dmp

Filesize
224KB

Download
memory/1468-2-0x0000000003320000-0x0000000003356000-memory.dmp

Filesize
216KB

Download
memory/3680-3-0x0000000000000000-mapping.dmp

Download