trickbot | 7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9

General

Target

7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
Size

728KB
MD5

7303c65cd17e9e492b9034e2edeb2381
SHA1

184d689148617ea33efc73f09e4f7c04c05ce7f0
SHA256

7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9
SHA512

4645f08abbdfac8c9164a9d00e1695a90615119c52bca3081add6104a20f212f2aa4216d55a38f46a873a0c7139ea4f9791659e2f0349758c6f7e06099002e6f

Score

10^/10

trickbot tot12 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000017

Botnet

tot12

C2

81.91.234.196:443

2.179.73.140:443

185.160.60.26:443

188.133.138.240:443

181.211.128.49:443

190.107.93.172:443

103.194.88.2:443

203.156.72.34:443

117.222.39.83:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

pid process

1640 7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

pid	process
1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

Loads dropped DLL 2 IoCs

Processes:

7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

pid	process
1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1612 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1612	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

pid	process
1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe

description	pid	process	target process
PID 1772 wrote to memory of 1096	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	splwow64.exe
PID 1772 wrote to memory of 1096	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	splwow64.exe
PID 1772 wrote to memory of 1096	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	splwow64.exe
PID 1772 wrote to memory of 1096	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	splwow64.exe
PID 1772 wrote to memory of 1640	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
PID 1772 wrote to memory of 1640	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
PID 1772 wrote to memory of 1640	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
PID 1772 wrote to memory of 1640	1772	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
PID 1640 wrote to memory of 1612	1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	wermgr.exe
PID 1640 wrote to memory of 1612	1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	wermgr.exe
PID 1640 wrote to memory of 1612	1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	wermgr.exe
PID 1640 wrote to memory of 1612	1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	wermgr.exe
PID 1640 wrote to memory of 1612	1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	wermgr.exe
PID 1640 wrote to memory of 1612	1640	7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
"C:\Users\Admin\AppData\Local\Temp\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1096

C:\Users\Admin\AppData\Roaming\Colorwin\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
C:\Users\Admin\AppData\Roaming\Colorwin\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Colorwin\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
MD5
7303c65cd17e9e492b9034e2edeb2381

SHA1
184d689148617ea33efc73f09e4f7c04c05ce7f0

SHA256
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9

SHA512
4645f08abbdfac8c9164a9d00e1695a90615119c52bca3081add6104a20f212f2aa4216d55a38f46a873a0c7139ea4f9791659e2f0349758c6f7e06099002e6f

Download Submit
\Users\Admin\AppData\Roaming\Colorwin\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
MD5
7303c65cd17e9e492b9034e2edeb2381

SHA1
184d689148617ea33efc73f09e4f7c04c05ce7f0

SHA256
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9

SHA512
4645f08abbdfac8c9164a9d00e1695a90615119c52bca3081add6104a20f212f2aa4216d55a38f46a873a0c7139ea4f9791659e2f0349758c6f7e06099002e6f

Download Submit
\Users\Admin\AppData\Roaming\Colorwin\7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9.exe
MD5
7303c65cd17e9e492b9034e2edeb2381

SHA1
184d689148617ea33efc73f09e4f7c04c05ce7f0

SHA256
7b2b661233d8af2e13cbf8962ad1b409a6494acd806f3d8d43f98eb3ae1fedc9

SHA512
4645f08abbdfac8c9164a9d00e1695a90615119c52bca3081add6104a20f212f2aa4216d55a38f46a873a0c7139ea4f9791659e2f0349758c6f7e06099002e6f

Download Submit
memory/1096-2-0x0000000000000000-mapping.dmp

Download
memory/1612-13-0x0000000000000000-mapping.dmp

Download
memory/1640-6-0x0000000000000000-mapping.dmp

Download
memory/1640-14-0x00000000004C0000-0x00000000004C4000-memory.dmp

Filesize
16KB

Download
memory/1640-15-0x0000000002710000-0x0000000002714000-memory.dmp

Filesize
16KB

Download
memory/1772-3-0x0000000001E90000-0x0000000001EC4000-memory.dmp

Filesize
208KB

Download
memory/1772-11-0x00000000004C0000-0x00000000004C4000-memory.dmp

Filesize
16KB

Download
memory/1772-12-0x0000000002A00000-0x0000000002A04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads