trickbot | 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653

General

Target

73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
Size

724KB
MD5

1a3adc0b25169b3aa6b7779e9b59715d
SHA1

7430bc136e8f7843525d38803ed05a130057481b
SHA256

73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653
SHA512

cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013

Score

10^/10

trickbot tot13 banker spyware trojan

Malware Config

Extracted

Family

trickbot

Version

2000017

Botnet

tot13

C2

81.91.234.196:443

2.179.73.140:443

185.160.60.26:443

188.133.138.240:443

181.211.128.49:443

190.107.93.172:443

103.194.88.2:443

203.156.72.34:443

117.222.39.83:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

pid process

1628 73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

pid	process
1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

Loads dropped DLL 2 IoCs

Processes:

73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

pid	process
1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 604 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	604	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

pid	process
1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe

description	pid	process	target process
PID 1080 wrote to memory of 1200	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	splwow64.exe
PID 1080 wrote to memory of 1200	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	splwow64.exe
PID 1080 wrote to memory of 1200	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	splwow64.exe
PID 1080 wrote to memory of 1200	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	splwow64.exe
PID 1080 wrote to memory of 1628	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
PID 1080 wrote to memory of 1628	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
PID 1080 wrote to memory of 1628	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
PID 1080 wrote to memory of 1628	1080	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
PID 1628 wrote to memory of 604	1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	wermgr.exe
PID 1628 wrote to memory of 604	1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	wermgr.exe
PID 1628 wrote to memory of 604	1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	wermgr.exe
PID 1628 wrote to memory of 604	1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	wermgr.exe
PID 1628 wrote to memory of 604	1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	wermgr.exe
PID 1628 wrote to memory of 604	1628	73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
"C:\Users\Admin\AppData\Local\Temp\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1200

C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
MD5
1a3adc0b25169b3aa6b7779e9b59715d

SHA1
7430bc136e8f7843525d38803ed05a130057481b

SHA256
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653

SHA512
cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013

Download Submit
\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
MD5
1a3adc0b25169b3aa6b7779e9b59715d

SHA1
7430bc136e8f7843525d38803ed05a130057481b

SHA256
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653

SHA512
cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013

Download Submit
\Users\Admin\AppData\Roaming\Colorwin\73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653.exe
MD5
1a3adc0b25169b3aa6b7779e9b59715d

SHA1
7430bc136e8f7843525d38803ed05a130057481b

SHA256
73f8d1dcfb02307ba3c44c4a75396afae849a21a20c7af599a05f1b6cb5a9653

SHA512
cb7b5c51faefc13606efb53b8b352ebbfa9da03661c38a42ed61f545df9ecab6638d89676cc8d0f45fba3a748bd9560fe26c486789b31dc61615cd011cb73013

Download Submit
memory/604-15-0x0000000000000000-mapping.dmp

Download
memory/1080-5-0x00000000025F0000-0x0000000002624000-memory.dmp

Filesize
208KB

Download
memory/1080-13-0x0000000000370000-0x0000000000374000-memory.dmp

Filesize
16KB

Download
memory/1080-14-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1200-4-0x0000000000000000-mapping.dmp

Download
memory/1628-8-0x0000000000000000-mapping.dmp

Download
memory/1628-16-0x00000000002B0000-0x00000000002B4000-memory.dmp

Filesize
16KB

Download
memory/1628-17-0x0000000002780000-0x0000000002784000-memory.dmp

Filesize
16KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads