trickbot | 4704501157675a1efd5f62210297fc25a48dd52ce320ac4e67489040f6e1d335

Resubmissions

05-12-2020 17:56

201205-ew81apm7yx 10

04-12-2020 21:51

201204-yz325t8w7x 10

Analysis

max time kernel
175s
max time network
299s
platform
windows7_x64
resource
win7v20201028
submitted
05-12-2020 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

660KB
MD5

c252603232987121f642be93e9e39348
SHA1

9a06574b7f9f732cf6265fe0aff4c133c1cb8314
SHA256

77b7bbf78f7a14d808b61a23ea7b29c2bc2e3d8faf62bccf3459182730ea42e3
SHA512

70630a8d2c467a6fed99443da2a776c67b6f819c58f5c77d6af8e441a53c891eb169c27a5ee4b5f799d3d51df922d9688d1f4edd55aa6b094d1422291681dc7e

Score

10^/10

trickbot tar3 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100003

Botnet

tar3

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1772 wermgr.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

sample.exe

pid process

1980 sample.exe
1980 sample.exe
1980 sample.exe
1980 sample.exe

description	pid	process
Token: SeDebugPrivilege	1772	wermgr.exe

pid	process
1980	sample.exe
1980	sample.exe
1980	sample.exe
1980	sample.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 1980 wrote to memory of 1772	1980	sample.exe	wermgr.exe
PID 1980 wrote to memory of 1772	1980	sample.exe	wermgr.exe
PID 1980 wrote to memory of 1772	1980	sample.exe	wermgr.exe
PID 1980 wrote to memory of 1772	1980	sample.exe	wermgr.exe
PID 1980 wrote to memory of 1772	1980	sample.exe	wermgr.exe
PID 1980 wrote to memory of 1772	1980	sample.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1772-4-0x0000000000000000-mapping.dmp

Download
memory/1980-2-0x0000000001DB0000-0x0000000001DEE000-memory.dmp

Filesize
248KB

Download
memory/1980-3-0x0000000001EA0000-0x0000000001EDA000-memory.dmp

Filesize
232KB

Download