trickbot | 0f252d0b4a20555653ca22dcc8141dfeca1091d8dadbb5c98f2c7b3884ee0009

Analysis

max time kernel
112s
max time network
121s
platform
windows7_x64
resource
win7v20201028
submitted
29-12-2020 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

medgcbsgilmy.exe
Size

615KB
MD5

4eb56d76a902ddcfa7c8b056de620838
SHA1

04da6acc5b635a8005b47912bf141c992c1aab61
SHA256

0f252d0b4a20555653ca22dcc8141dfeca1091d8dadbb5c98f2c7b3884ee0009
SHA512

5e330fa04634fc0a6e33f36b908d17786fd262d959def315a520b7d34b2ad396c7881c407a328721387c8fb5e71c7c3f570fcd6310d83c874ab51d376869bb11

Score

10^/10

trickbot mor6 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100008

Botnet

mor6

103.231.115.106:449

117.222.63.100:449

117.254.58.83:449

149.54.11.54:449

170.82.4.64:449

177.11.12.93:449

182.16.187.251:449

187.108.86.48:449

190.152.88.57:449

203.88.149.33:449

36.89.191.119:449

41.159.31.227:449

85.202.128.243:449

92.204.160.82:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ident.me
7 ident.me
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1676 wermgr.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

medgcbsgilmy.exe

pid process

1320 medgcbsgilmy.exe
1320 medgcbsgilmy.exe
1320 medgcbsgilmy.exe

flow	ioc
6	ident.me
7	ident.me

description	pid	process
Token: SeDebugPrivilege	1676	wermgr.exe

pid	process
1320	medgcbsgilmy.exe
1320	medgcbsgilmy.exe
1320	medgcbsgilmy.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

medgcbsgilmy.exe

description	pid	process	target process
PID 1320 wrote to memory of 1676	1320	medgcbsgilmy.exe	wermgr.exe
PID 1320 wrote to memory of 1676	1320	medgcbsgilmy.exe	wermgr.exe
PID 1320 wrote to memory of 1676	1320	medgcbsgilmy.exe	wermgr.exe
PID 1320 wrote to memory of 1676	1320	medgcbsgilmy.exe	wermgr.exe
PID 1320 wrote to memory of 1676	1320	medgcbsgilmy.exe	wermgr.exe
PID 1320 wrote to memory of 1676	1320	medgcbsgilmy.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\medgcbsgilmy.exe
"C:\Users\Admin\AppData\Local\Temp\medgcbsgilmy.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-2-0x0000000001E50000-0x0000000001E90000-memory.dmp

Filesize
256KB

Download
memory/1320-3-0x0000000001EE0000-0x0000000001F1C000-memory.dmp

Filesize
240KB

Download
memory/1676-4-0x0000000000000000-mapping.dmp

Download