trickbot | 58defe6cd164b4c029214022197533dc376ad0090657d931e1ed57981b1b4498

General

Target

sample.exe
Size

276KB
MD5

fe772386d4d851272a985dae3b0a254a
SHA1

3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a
SHA256

bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2
SHA512

e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec

Score

10^/10

trickbot lib11 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000016

Botnet

lib11

C2

202.136.89.226:449

202.169.244.252:449

203.176.135.38:449

212.3.104.50:449

41.203.215.122:449

41.41.179.239:449

43.239.152.240:449

43.242.141.59:449

43.245.216.190:449

43.255.113.180:449

45.230.8.34:449

45.233.25.6:449

78.138.128.20:449

49.156.41.74:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

sample.exe

pid process

744 sample.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3460 580 WerFault.exe sample.exe
4072 744 WerFault.exe sample.exe

pid	process
744	sample.exe

pid	pid_target	process	target process
3460	580	WerFault.exe	sample.exe
4072	744	WerFault.exe	sample.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

WerFault.exeWerFault.exe

pid	process
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe
4072	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WerFault.exewermgr.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3460	WerFault.exe
Token: SeBackupPrivilege	3460	WerFault.exe
Token: SeDebugPrivilege	3460	WerFault.exe
Token: SeDebugPrivilege	3944	wermgr.exe
Token: SeDebugPrivilege	4072	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sample.exesample.exe

pid process

580 sample.exe
744 sample.exe

pid	process
580	sample.exe
744	sample.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

sample.exesample.exe

description	pid	process	target process
PID 580 wrote to memory of 744	580	sample.exe	sample.exe
PID 580 wrote to memory of 744	580	sample.exe	sample.exe
PID 580 wrote to memory of 744	580	sample.exe	sample.exe
PID 744 wrote to memory of 3944	744	sample.exe	wermgr.exe
PID 744 wrote to memory of 3944	744	sample.exe	wermgr.exe
PID 744 wrote to memory of 3944	744	sample.exe	wermgr.exe
PID 744 wrote to memory of 3944	744	sample.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Roaming\Colorwin\sample.exe
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 408
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 400
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Colorwin\sample.exe
MD5
fe772386d4d851272a985dae3b0a254a

SHA1
3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a

SHA256
bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2

SHA512
e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec

Download Submit
C:\Users\Admin\AppData\Roaming\Colorwin\sample.exe
MD5
fe772386d4d851272a985dae3b0a254a

SHA1
3ef8ab7cccd2dabc9d598d4eebf208b5c5d9b33a

SHA256
bfa4dd7b3e2182a6fa772443847b4fe6e70d66c773c5f0b087da566b779d90b2

SHA512
e6c6953286e7801ba2867a942c6fdb3724597368a029dc3faf2046d6a4a1a861c4845b13de1face1bce8e69e0ff26622f195735f1942ed2f01f65e7821f6d8ec

Download Submit
memory/580-4-0x0000000000520000-0x0000000000554000-memory.dmp

Filesize
208KB

Download
memory/744-5-0x0000000000000000-mapping.dmp

Download
memory/744-21-0x0000000000000000-mapping.dmp

Download
memory/3460-12-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3460-13-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/3460-15-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3944-11-0x0000000000000000-mapping.dmp

Download
memory/4072-20-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/4072-23-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads