Overview

overview

10

Static

static

e21f86a032...25.exe

windows7_x64

10

e21f86a032...25.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e21f86a0329f9fca7eb0492f22d76125.exe

  • Size

    600KB

  • MD5

    5e138a79931adc0c76b0b6ae46d90433

  • SHA1

    7c9ff4a71756b6d8329183294669aabab59195ee

  • SHA256

    c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be

  • SHA512

    847ea4913bf8e1fe99a5f5b5a74d84d0ff15580a7dfab3db8daf2ff3b779e5ba275a1d57cecb65de51a50c3384c493018bb6cf8e0c732b2d1f6690c9e16062dd

Score
10/10
trickbotlib7bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000016

Botnet

lib7

C2

202.136.89.226:449

202.169.244.252:449

203.176.135.38:449

212.3.104.50:449

41.203.215.122:449

41.41.179.239:449

43.239.152.240:449

43.242.141.59:449

43.245.216.190:449

43.255.113.180:449

45.230.8.34:449

45.233.25.6:449

78.138.128.20:449

49.156.41.74:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e21f86a0329f9fca7eb0492f22d76125.exe
    "C:\Users\Admin\AppData\Local\Temp\e21f86a0329f9fca7eb0492f22d76125.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exe
      C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exe
    MD5

    5e138a79931adc0c76b0b6ae46d90433

    SHA1

    7c9ff4a71756b6d8329183294669aabab59195ee

    SHA256

    c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be

    SHA512

    847ea4913bf8e1fe99a5f5b5a74d84d0ff15580a7dfab3db8daf2ff3b779e5ba275a1d57cecb65de51a50c3384c493018bb6cf8e0c732b2d1f6690c9e16062dd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Colorwin\e21f86a0329f9fca7eb0492f22d76125.exe
    MD5

    5e138a79931adc0c76b0b6ae46d90433

    SHA1

    7c9ff4a71756b6d8329183294669aabab59195ee

    SHA256

    c98b7b275bf404b2e20641f7802e686e8a64b7aa72e1ec0152cf03667daea2be

    SHA512

    847ea4913bf8e1fe99a5f5b5a74d84d0ff15580a7dfab3db8daf2ff3b779e5ba275a1d57cecb65de51a50c3384c493018bb6cf8e0c732b2d1f6690c9e16062dd

    Download Submit
  • memory/880-2-0x0000000002330000-0x0000000002364000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1000-9-0x0000000000000000-mapping.dmp
    Download
  • memory/2796-3-0x0000000000000000-mapping.dmp
    Download