trickbot | 648d3b8639ff54b8741ec84898b213836594539de6f0c11a6c9f34dccf5e79fe

Analysis

Target

1.exe
Size

400KB
MD5

c5c8b64f2f89c074396266be3424e758
SHA1

3a5ade966e33a398b135c840064eb2a4e5fea761
SHA256

648d3b8639ff54b8741ec84898b213836594539de6f0c11a6c9f34dccf5e79fe
SHA512

aeff3fe19e50275ec851c762c0f124f70068d63230bc34cd66b67e34c102e079f1ce369dccb8ab506eb29f8f0eebcc83f61abf202e21cfffde40c7cbe6b38ff7

Score

10^/10

Family

trickbot

Version

100002

Botnet

yas2

195.123.240.138:443

162.212.158.129:443

144.172.64.26:443

62.108.37.145:443

91.200.103.193:443

194.5.249.195:443

195.123.240.18:443

Attributes

ecc_pubkey.base64

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 216 wermgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid process

828 1.exe

description	pid	process
Token: SeDebugPrivilege	216	wermgr.exe

pid	process
828	1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1.exe

description	pid	process	target process
PID 828 wrote to memory of 216	828	1.exe	wermgr.exe
PID 828 wrote to memory of 216	828	1.exe	wermgr.exe
PID 828 wrote to memory of 216	828	1.exe	wermgr.exe
PID 828 wrote to memory of 216	828	1.exe	wermgr.exe

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

memory/216-3-0x0000000000000000-mapping.dmp

Download
memory/828-2-0x0000000003080000-0x00000000030BA000-memory.dmp

Filesize
232KB

Download