Overview

overview

10

Static

static

kdfjglkdfg.exe.dll

windows7_x64

10

kdfjglkdfg.exe.dll

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-11-2020 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kdfjglkdfg.exe.dll

  • Size

    407KB

  • MD5

    cd424ccdabd6cfac66395d687b41db6a

  • SHA1

    78fe1f1f5547865f1cac31e36da5e970bbf05268

  • SHA256

    4b592bd56c7d722bc226dcd4c37630c2483f3771a71e7d4f7e57e9ffb867458e

  • SHA512

    f59b6d2a210a4ef26b64597fe988c7e778cfa3f11f9f72297c11cd351f49640c56e0c102688a41be11a222531526119c0be5a68306f9fd79d45fe9df74c1acf9

Score
10/10
trickbottar3bankerdavetrojan

Malware Config

Extracted

Family

trickbot

Version

100002

Botnet

tar3

C2

195.123.240.138:443

162.212.158.129:443

144.172.64.26:443

62.108.37.145:443

91.200.103.193:443

194.5.249.195:443

195.123.240.18:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Dave packer 2 IoCs

    Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

    dave
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\kdfjglkdfg.exe.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:484
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\kdfjglkdfg.exe.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 344
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1140-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1140-4-0x0000000002000000-0x0000000002011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1140-7-0x0000000002750000-0x0000000002761000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2004-2-0x00000000003A0000-0x00000000003D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2004-1-0x0000000000210000-0x0000000000248000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2004-0-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-6-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-5-0x0000000000000000-mapping.dmp
    Download