trickbot | f0b83514c6f826e695fb34c8264f54e528d355c0765fdcd5f9c3c0e3d6127f54

Resubmissions

23-11-2020 12:02

201123-llrwlpa3jn 10

23-11-2020 11:51

201123-n824g1ydd2 10

Analysis

max time kernel
136s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
23-11-2020 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0b83514c6f826e695fb34c8264f54e528d355c0765fdcd5f9c3c0e3d6127f54.ps1
Size

171B
MD5

d5572751f440766c4c24f20aeb4a368f
SHA1

b4556e63d3b4307878e51d5dfab5ea3a4e9e7946
SHA256

f0b83514c6f826e695fb34c8264f54e528d355c0765fdcd5f9c3c0e3d6127f54
SHA512

19b2c56b04e266df5773c727d3d0137e6e024662286b39d6825c93718c5f93850f0a0536868a9bae72472d92eb00f14512b28cfcb823d737d1c7eabe5f4cbccc

Score

10^/10

trickbot tar3 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100003

Botnet

tar3

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1992 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

_104579.exe

pid process

740 _104579.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1992 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exewermgr.exe

description pid process

Token: SeDebugPrivilege 1992 powershell.exe
Token: SeDebugPrivilege 520 wermgr.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

_104579.exe

pid process

740 _104579.exe
740 _104579.exe
740 _104579.exe
740 _104579.exe

flow	pid	process
7	1992	powershell.exe

pid	process
740	_104579.exe

pid	process
1992	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	520	wermgr.exe

pid	process
740	_104579.exe
740	_104579.exe
740	_104579.exe
740	_104579.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.exe_104579.exe

description	pid	process	target process
PID 1992 wrote to memory of 740	1992	powershell.exe	_104579.exe
PID 1992 wrote to memory of 740	1992	powershell.exe	_104579.exe
PID 1992 wrote to memory of 740	1992	powershell.exe	_104579.exe
PID 1992 wrote to memory of 740	1992	powershell.exe	_104579.exe
PID 740 wrote to memory of 520	740	_104579.exe	wermgr.exe
PID 740 wrote to memory of 520	740	_104579.exe	wermgr.exe
PID 740 wrote to memory of 520	740	_104579.exe	wermgr.exe
PID 740 wrote to memory of 520	740	_104579.exe	wermgr.exe
PID 740 wrote to memory of 520	740	_104579.exe	wermgr.exe
PID 740 wrote to memory of 520	740	_104579.exe	wermgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f0b83514c6f826e695fb34c8264f54e528d355c0765fdcd5f9c3c0e3d6127f54.ps1
1⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\_104579.exe
"C:\Users\Admin\AppData\Local\Temp\_104579.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_104579.exe
MD5
c252603232987121f642be93e9e39348

SHA1
9a06574b7f9f732cf6265fe0aff4c133c1cb8314

SHA256
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3

SHA512
70630a8d2c467a6fed99443da2a776c67b6f819c58f5c77d6af8e441a53c891eb169c27a5ee4b5f799d3d51df922d9688d1f4edd55aa6b094d1422291681dc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_104579.exe
MD5
c252603232987121f642be93e9e39348

SHA1
9a06574b7f9f732cf6265fe0aff4c133c1cb8314

SHA256
77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3

SHA512
70630a8d2c467a6fed99443da2a776c67b6f819c58f5c77d6af8e441a53c891eb169c27a5ee4b5f799d3d51df922d9688d1f4edd55aa6b094d1422291681dc7e

Download Submit
memory/520-11-0x0000000000000000-mapping.dmp

Download
memory/740-7-0x0000000000000000-mapping.dmp

Download
memory/740-10-0x0000000001FD0000-0x000000000200A000-memory.dmp

Filesize
232KB

Download
memory/740-9-0x0000000001E40000-0x0000000001E7E000-memory.dmp

Filesize
248KB

Download
memory/1992-3-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1992-6-0x000000001C6F0000-0x000000001C6F1000-memory.dmp

Filesize
4KB

Download
memory/1992-5-0x000000001C3B0000-0x000000001C3B1000-memory.dmp

Filesize
4KB

Download
memory/1992-4-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1992-0-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-2-0x000000001AC70000-0x000000001AC71000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download