trickbot | 763d7811a588969bfea3613ec808234c13c867ded4dee150bc687be0665dcccb

Analysis

Target

sfc8b4.bin.exe
Size

788KB
MD5

a5a28b55cd644c7b83b4641c4fdbf3a5
SHA1

772851debc5ef85a750577ebbae3cf3592c0b3ce
SHA256

58c4bea082b2f44f0beab5356ae2bc9bc73c3f13ab0491861bc2ba24690da103
SHA512

72ab2ba476428714985da8d51d4a65dee188df05310202b49d7f19645bd316266a9744343d22482d45b7bdd18520395aefb5f5eab16f39633cadac675bbf5695

Score

10^/10

Family

trickbot

Version

2000014

Botnet

mor137

103.127.165.250:449

103.109.78.174:449

199.38.120.89:449

103.206.128.121:449

199.38.120.91:443

199.38.121.150:443

199.38.123.58:443

208.86.162.215:443

208.86.161.113:443

208.86.162.241:443

Attributes

ecc_pubkey.base64

Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2232 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sfc8b4.bin.exe

pid process

4752 sfc8b4.bin.exe
4752 sfc8b4.bin.exe

description	pid	process
Token: SeDebugPrivilege	2232	wermgr.exe

pid	process
4752	sfc8b4.bin.exe
4752	sfc8b4.bin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

sfc8b4.bin.exe

description	pid	process	target process
PID 4752 wrote to memory of 2232	4752	sfc8b4.bin.exe	wermgr.exe
PID 4752 wrote to memory of 2232	4752	sfc8b4.bin.exe	wermgr.exe
PID 4752 wrote to memory of 2232	4752	sfc8b4.bin.exe	wermgr.exe
PID 4752 wrote to memory of 2232	4752	sfc8b4.bin.exe	wermgr.exe

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

memory/2232-4-0x0000000000000000-mapping.dmp

Download
memory/4752-3-0x0000000002C40000-0x0000000002C7A000-memory.dmp

Filesize
232KB

Download