Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 21:51
General
-
Target
sample.exe
-
Size
592KB
-
MD5
c338a1e442838cc95a6724f2def934b5
-
SHA1
279e903c173a2f7b34806d931b31369788cd90b9
-
SHA256
df4491307732cc8c20abfa4e86609aaef79ce847563f060bfa73b0dc8dce274a
-
SHA512
c77ba9ec89037537919192737d3cb5315b9070059c328e0d69022183dbd6d8667ab4778ffa52082d95ccb8c9412ad4ebe0f1e6eb090c3fa3cb4c920ae31440b7
Score
10/10
Malware Config
Extracted
Family
trickbot
Version
2000013
Botnet
mor133
C2
199.38.120.91:443
199.38.121.150:443
199.38.123.58:443
208.86.162.215:443
208.86.161.113:443
208.86.162.241:443
131.153.22.145:443
62.108.35.29:443
45.89.127.118:443
185.99.2.123:443
62.108.35.36:443
45.89.127.119:443
194.5.249.216:443
185.99.2.160:443
80.85.156.116:443
86.104.194.102:443
Attributes
-
autorunName:pwgrab
ecc_pubkey.base64
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4240-6-0x0000000000000000-mapping.dmp
-
memory/4688-5-0x00000000005E0000-0x000000000061A000-memory.dmpFilesize
232KB