trickbot | 5cff92f1ea0e23cb1dd493c35d97621d051150426620caf0f674a172c103ce98

Analysis

max time kernel
78s
max time network
130s
platform
windows7_x64
resource
win7v20201028
submitted
30-12-2020 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hlhgk.exe
Size

474KB
MD5

b2e58ff4e1121fff68558f1d5a35e50c
SHA1

2ea49fc43c51268a20def29f473184e0823f8c8b
SHA256

5cff92f1ea0e23cb1dd493c35d97621d051150426620caf0f674a172c103ce98
SHA512

39f8440dc1e6e8a0090504930365050cf81470a7408a996b6caf2cd6783b5822d9878902bd9d7e6e8e23f1e93f0ce487b96017a776f62139bfb4cd2d366c6cd3

Score

10^/10

trickbot mor7 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100008

Botnet

mor7

103.231.115.106:449

117.222.63.100:449

117.254.58.83:449

149.54.11.54:449

170.82.4.64:449

177.11.12.93:449

182.16.187.251:449

187.108.86.48:449

190.152.88.57:449

203.88.149.33:449

36.89.191.119:449

41.159.31.227:449

85.202.128.243:449

92.204.160.82:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ident.me
8 ident.me
Drops file in Windows directory 1 IoCs

Processes:

hlhgk.exe

description ioc process

File opened for modification C:\Windows\explorer.exe hlhgk.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1188 wermgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

hlhgk.exe

pid process

596 hlhgk.exe

flow	ioc
7	ident.me
8	ident.me

description	ioc	process
File opened for modification	C:\Windows\explorer.exe	hlhgk.exe

description	pid	process
Token: SeDebugPrivilege	1188	wermgr.exe

pid	process
596	hlhgk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

hlhgk.exe

description	pid	process	target process
PID 596 wrote to memory of 1188	596	hlhgk.exe	wermgr.exe
PID 596 wrote to memory of 1188	596	hlhgk.exe	wermgr.exe
PID 596 wrote to memory of 1188	596	hlhgk.exe	wermgr.exe
PID 596 wrote to memory of 1188	596	hlhgk.exe	wermgr.exe
PID 596 wrote to memory of 1188	596	hlhgk.exe	wermgr.exe
PID 596 wrote to memory of 1188	596	hlhgk.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\hlhgk.exe
"C:\Users\Admin\AppData\Local\Temp\hlhgk.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-2-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/596-3-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/1188-4-0x0000000000000000-mapping.dmp

Download