trickbot | 4704501157675a1efd5f62210297fc25a48dd52ce320ac4e67489040f6e1d335

Resubmissions

05-12-2020 17:56

201205-ew81apm7yx 10

04-12-2020 21:51

201204-yz325t8w7x 10

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
04-12-2020 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

660KB
MD5

c252603232987121f642be93e9e39348
SHA1

9a06574b7f9f732cf6265fe0aff4c133c1cb8314
SHA256

77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
SHA512

70630a8d2c467a6fed99443da2a776c67b6f819c58f5c77d6af8e441a53c891eb169c27a5ee4b5f799d3d51df922d9688d1f4edd55aa6b094d1422291681dc7e

Score

10^/10

trickbot tar3 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100003

Botnet

tar3

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
21 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1788 wermgr.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

sample.exe

pid process

1836 sample.exe
1836 sample.exe
1836 sample.exe
1836 sample.exe

flow	ioc
20	api.ipify.org
21	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	1788	wermgr.exe

pid	process
1836	sample.exe
1836	sample.exe
1836	sample.exe
1836	sample.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 1836 wrote to memory of 1788	1836	sample.exe	wermgr.exe
PID 1836 wrote to memory of 1788	1836	sample.exe	wermgr.exe
PID 1836 wrote to memory of 1788	1836	sample.exe	wermgr.exe
PID 1836 wrote to memory of 1788	1836	sample.exe	wermgr.exe
PID 1836 wrote to memory of 1788	1836	sample.exe	wermgr.exe
PID 1836 wrote to memory of 1788	1836	sample.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1788-4-0x0000000000000000-mapping.dmp

Download
memory/1836-2-0x0000000002050000-0x000000000208E000-memory.dmp

Filesize
248KB

Download
memory/1836-3-0x00000000020E0000-0x000000000211A000-memory.dmp

Filesize
232KB

Download