trickbot | 696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f

Analysis

max time kernel
151s
max time network
155s
platform
windows10_x64
resource
win10v20201028
submitted
30-12-2020 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7a3e39984d3eba8e79fc01cb5be27a.exe
Size

612KB
MD5

3c7a3e39984d3eba8e79fc01cb5be27a
SHA1

dc9dfc77669f05bb2e8997f160f3e4b2d4ff91df
SHA256

696f9a352edfd7d28f63b6b88c4afecb946813aeef4cb4bbc12c7db461403b7f
SHA512

e5c5b6b9a03ff1ab1ff688714977e4a5b7b8704a3c5d43492a93258098b5b820dc895e6bbb9b161e33fb9050843b3878216a6f24f5fc4822c0337dae8e484304

Score

10^/10

trickbot mor7 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100008

Botnet

mor7

103.231.115.106:449

117.222.63.100:449

117.254.58.83:449

149.54.11.54:449

170.82.4.64:449

177.11.12.93:449

182.16.187.251:449

187.108.86.48:449

190.152.88.57:449

203.88.149.33:449

36.89.191.119:449

41.159.31.227:449

85.202.128.243:449

92.204.160.82:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ipecho.net
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1404 wermgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3c7a3e39984d3eba8e79fc01cb5be27a.exe

pid process

3576 3c7a3e39984d3eba8e79fc01cb5be27a.exe

flow	ioc
27	ipecho.net

description	pid	process
Token: SeDebugPrivilege	1404	wermgr.exe

pid	process
3576	3c7a3e39984d3eba8e79fc01cb5be27a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3c7a3e39984d3eba8e79fc01cb5be27a.exe

description	pid	process	target process
PID 3576 wrote to memory of 1404	3576	3c7a3e39984d3eba8e79fc01cb5be27a.exe	wermgr.exe
PID 3576 wrote to memory of 1404	3576	3c7a3e39984d3eba8e79fc01cb5be27a.exe	wermgr.exe
PID 3576 wrote to memory of 1404	3576	3c7a3e39984d3eba8e79fc01cb5be27a.exe	wermgr.exe
PID 3576 wrote to memory of 1404	3576	3c7a3e39984d3eba8e79fc01cb5be27a.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\3c7a3e39984d3eba8e79fc01cb5be27a.exe
"C:\Users\Admin\AppData\Local\Temp\3c7a3e39984d3eba8e79fc01cb5be27a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-5-0x0000000000000000-mapping.dmp

Download
memory/3576-4-0x0000000002260000-0x000000000229C000-memory.dmp

Filesize
240KB

Download